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Abstract. We present Classical BI (CBI), a new addition to the family of bunched logics 
which originates in O'Hearn and Pym's logic of bunched implications BI. CBI differs from 
existing bunched logics in that its multiplicative connectives behave classically rather than 
intuitionistically (including in particular a multiplicative version of classical negation). At 
the semantic level, CBI-formulas have the normal bunched logic reading as declarative 
statements about resources, but its resource models necessarily feature more structure 
than those for other bunched logics; principally, they satisfy the requirement that every 
resource has a unique dual. At the proof-theoretic level, a very natural formalism for CBI 
is provided by a display calculus a la Belnap, which can be seen as a generalisation of the 
bunched sequent calculus for BI. In this paper we formulate the aforementioned model 
theory and proof theory for CBI, and prove some fundamental results about the logic, 
most notably completeness of the proof theory with respect to the semantics. 



1. Introduction 

Substructural logics, whose best-known varieties include linear logic, relevant logic and 
the Lambek calculus, are characterised by their restriction of the use of the so-called struc- 
tural proof principles of classical logic |44| . These may be roughly characterised as those 
principles that are insensitive to the syntactic form of formulas, chiefly weakening (which 
permits the introduction of redundant premises into an argument) and contraction (which 
allows premises to be arbitrarily duplicated). For example, in linear logic, only formulas 
prefixed with a special "exponential" modality are subject to weakening and contraction, 
while in relevant logic it is usual for contraction but not weakening to be permitted. 

Bunched logic is a relatively new area of substructural logic, but one that has been re- 
ceiving increasing attention amongst the logical and computer science research communities 
in recent years. In bunched logic, the restriction on the use of structural proof principles 
is achieved by allowing the connectives of a standard "additive" propositional logic, which 
admits weakening and contraction, to be freely combined with those of a second "multi- 
plicative" propositional logic, which does not. In contrast to linear logic, whose restricted 
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treatment of additive connectives yields a natural constructive reading of proofs as compu- 
tations pp, the inclusion of unrestricted additives in bunched logics gives rise to a simple 
Kripke-style truth interpretation according to which formulas can be understood as declar- 
ative statements about resource [40J. This resource reading of bunched logic has found 
substantial application in computer science, most notably in the shape of separation logic, 
which is a Hoare logic for program verification based upon various bunched logic models 
of heap memory [45 . The proof theory of bunched logic also differs markedly from the 
proof theory of linear logic, which is typically formulated in terms of sequent calculi whose 
sequents have the usual flat context structure based on lists or (multi)sets. However, since 
bunched logics contain both an (unrestricted) additive logic and a multiplicative one, proof 
systems for bunched logic employ both additive and multiplicative structural connectives 
for forming contexts (akin to the comma in standard sequent calculus). This gives rise to 
proof judgements whose contexts are trees -- originally termed "bunches" - built from 
structural connectives and formulas. 

Although the main ideas necessary to develop bunched logic can retrospectively be seen 
to have been present in earlier work on relevant logics, it first emerged fairly recently with 
the introduction of BI, O'Hearn and Pym's logic of bunched implications [36]. Semantically, 
BI can be seen to arise by considering the structure of cartesian doubly closed categories 
- i.e. categories with one cartesian closed structure and one symmetric monoidal closed 
structure [39 1 . Concretely, such categories correspond to a combination of standard intu- 
itionistic logic with multiplicative intuitionistic linear logiqj (MILL), and thus one has the 
following propositional connectives^! for BI: 

Additive: T _L -. A V ->• 

Multiplicative: T* * — * 

(where -i is the intuitionistic negation defined by —>F = F — > _L). As well as the semantics 
based on the aforementioned categories, BI can be given an algebraic semantics: one simply 
requires that the algebraic structure for BI has both the Heyting algebra structure required 
to interpret intuitionistic logic, and the residuated commutative monoid structure required 
to interpret MILL. By requiring a Boolean algebra instead of the Heyting algebra, one 
obtains the variant logic Boolean BI (BBI), which can be seen as a combination of classical 
logic and MILL [40 1 [39] . Most of the computer science applications of bunched logic are in 
fact based on BBI rather than BI; for example, the heap model used in separation logic is 
a model of BBI [26] . 

A natural question from a logician's standpoint is whether bunched logics exist in which 
the multiplicative connectives behave classically, rather than intuitionistically (and do not 
simply collapse into their additive equivalents). A computer scientist might also enquire 
whether such a logic could, like its siblings, be understood semantically in terms of resource. 
In this paper, we address these questions by presenting a new addition to the bunched 
logic family, which we call Classical BI (CBI), and whose additives and multiplicatives 
both behave classically. In particular, CBI features multiplicative analogues of the additive 
falsity, negation, and disjunction, which are absent in the other bunched logics. Thus CBI 
can be seen as a combination of classical logic and multiplicative classical linear logic (MLL). 



We refer here to linear logic without the exponentials. 
T* which is the unit of *, is often elsewhere written /. 
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We examine CBI both from the model-theoretic and the proof-theoretic perspective, each 
of which we describe below. 

Model-theoretic perspective: From the point of view of computer science, the main interest of 
bunched logic stems from its Kripke-style frame semantics based on relational commutative 
monoids, which can be understood as an abstract representation of resource |21|, [22] . In 
such models, formulas of bunched logic have a natural declarative reading as statements 
about resources (i.e. monoid elements). Thus the multiplicative unit T* denotes the empty 
resource (i.e. the monoid identity element) and a multiplicative conjunction F*G of two for- 
mulas denotes those resources which divide, via the monoid operation, into two component 
resources satisfying respectively F and G. The multiplicative implication — * then comes 
along naturally as the right-adjoint of the multiplicative conjunction *, so that F — * G 
denotes those resources with the property that, when they are extended with a resource 
satisfying F, this extension satisfies G. 

The difference between intuitionistic and classical logics can be seen as a matter of 
the differing strengths of their respective negations [38 1 . From this viewpoint the main 
obstacle to formulating a bunched logic like CBI is in giving a convincing account of classical 
multiplicative negation; multiplicative falsity can then be obtained as the negation of T* 
and multiplicative disjunction as the de Morgan dual of *. We show that multiplicative 
negation can be given a declarative resource reading just as for the usual bunched logic 
connectives, provided that we enrich the relational commutative monoid structure of BBI- 
models with an involutive operator (which interacts with the binary monoid operation in a 
suitable fashion). Thus every resource in a CBI- model is required to have a unique dual. 
In particular, every Abelian group can be seen as a CBI-model by taking the dual of an 
element to be its group inverse. Our interpretation of multiplicative negation ~ is then in 
the tradition of Routley's interpretation of negation in relevant logic [461 I19j : a resource 
satisfies ~-F iff its dual fails to satisfy F. This interpretation, which at first sight may seem 
unusual, is justified by the desired semantic equivalences between formulas. For example, 
under our interpretation F — * G is semantically equivalent to ^F v" G, where v" denotes 
the multiplicative disjunction. 

In Section 2 we state the additional conditions on BBI-models qualifying them as CBI- 
models and examine some fundamental properties of these models. We then give the forcing 
semantics for CBI-formulas with respect to our models, and compare the resulting notion 
of validity with that for BBI. Our most notable result about validity is that CBI is a non- 
conservative extension of BBI, which indicates that CBI is intrinsically different in character 
to its bunched logic siblings, and justifies independent consideration. 

Proof-theoretic perspective: The proof theory of BI (cf. [39} 136] ) can be motivated by the 
observation that the presence of two implications — >• and — * should give rise to two context- 
forming operations, which correspond to the conjunctions A and * at the meta-level. This 
situation is illustrated by the following (intuitionistic) sequent calculus right-introduction 
rules for the implications: 

T;F 1 \-F 2 T,F 1 \-F 2 

" (->R) — -(-*R) 



r h f 1 ->• f 2 r h Ft -* f 2 

For similar reasons, there should also be two different "empty contexts" or structural units, 
which are the structural equivalents of T and T* respectively. Accordingly, the contexts 
r on the left-hand side of the sequents in the rules above are not sets or sequences, as in 
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standard sequent calculi, but rather bunches: trees whose leaves are formulas or structural 
units and whose internal nodes are either semicolons or commas. The crucial difference 
between the latter two operations is that weakening and contraction are possible for the 
additive semicolon but not for the multiplicative comma. Since BI is intuitionistic in both its 
additive and multiplicative components, bunches arise only on the left-hand side of sequents, 
with a single formula on the right. In order to take into account the bunched contexts in 
BI sequents, the left-introduction rules for logical connectives are then formulated so as to 
apply at arbitrary positions within a bunchj. E.g., the left-introduction rules for the two 
implications can be formulated as: 

A \- F 1 T(F 2 ) h F A \- F 1 T(F 2 ) h F 
— (->L) — (-RL) 

T(A;F 1 ^F 2 )hF T(A,F 1 ^F 2 )hF 

where T(A) denotes a bunch T with a distinguished sub-bunch occurrence A. In contrast, 
the right-introduction rules need take into account only the top level of bunches, as in the 
right-introduction rules above for the implications. 

For a classical bunched logic like CBI, it would appear natural from a proof-theoretic 
perspective to consider a full two-sided sequent calculus, in which semicolon and comma in 
bunches on the right of sequents correspond to the additive and multiplicative disjunctions. 
Unfortunately, it is far from clear whether there exists such a sequent calculus admitting 
cut-elimination, or a similar natural deduction system satisfying normalisation (see [5j [39] 
for some discussion of the difficulties) . 

In Section El we address this rather unsatisfactory situation by formulating a display 
calculus proof system for CBI that satisfies cut-elimination, with an attendant subformula 
property for cut-free proofs. Display calculi were first introduced in the setting of Belnap's 
display logic [2], which is a generalised framework that can be instantiated to give con- 
secution calculi a la Gentzen for a wide class of logics. Display calculi are characterised 
by the fact that any proof judgement may always be rearranged so that a chosen struc- 
ture occurrence appears alone on one side of the proof turnstile. Remarkably, Belnap also 
showed that cut-elimination is guaranteed for any display calculus whose proof rules satisfy 
8 simple syntactic conditions. It is a straightforward matter to instantiate Belnap's display 
logic so as to obtain a display calculus for CBI, and to show that it meets the conditions 
for cut-elimination. Moreover, our display calculus is sound and complete with respect to 
validity in our class of CBI-models. Soundness follows by showing directly that each of 
the proof rules preserves CBI- validity. The proof of completeness, which is presented in 
Section HI is by reduction to a completeness result for modal logic due to Sahlqvist. 

Applications: Bunched logic (especially BBI) and its resource semantics has found appli- 
cation in several areas of computer science, including polymorphic abstraction |15j . type 
systems for reference update and disposal [3J, context logic for tree update [10] and, most 
ubiquitously, separation logic [45J which forms the basis of many contemporary approaches 
to reasoning about pointer programs (recent examples include [37 1 IT3 ] IT5]). 

Unfortunately, the fact that CBI is a non-conservative extension of BBI appears to rule 
out the naive use of CBI for reasoning directly about some BBI-models such as the sepa- 
ration logic heap model, which is not a CBI-model. On the other hand, non-conservativity 



o 

In this respect, the BI sequent calculus resembles calculi for deep inference |8J. However, deep inference 
calculi differ substantially from sequent calculi in that they abandon the distinction between logical and 
structural connectives, and thus technically they are more akin to term rewriting systems. 
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indicates that CBI can reasonably be expected to have different applications to those of 
BI and BBI. In Section [5] we consider a range of example CBI-models drawn from quite 
disparate areas of mathematics and computer science, including bit arithmetic, regular lan- 
guages, money, generalised heaps and fractional permissions. In Section [6] we suggest some 
directions for future applications of CBI, and discuss some related work. 

This paper is a revised and expanded version of [6J, including several new results. We 
have endeavoured to include detailed proofs where space permits. 

2. Frame semantics and validity for CBI 

In this section we define CBI, a fully classical bunched logic featuring additive and 
multiplicative versions of all the usual propositional connectives (cf. [39]), via a class of 
Kripke-style frame models. We also compare the resulting notion of CBI- validity with 
validity in BBI. 

Our CBI-models are based on the relational commutative monoids used to model 
BBI |22]I10]. In fact, they are special cases of these monoids, containing extra structure: an 
involution operation ' — 'on elements and a distinguished element oo that characterises the 
result of combining an element with its involutive dual. We point the reader to Section [5] 
for a range of examples of such models. 

In the following, we first recall the usual frame models of BBI, and then give the 
additional conditions required for such models to be CBI-models. Note that we write V(X) 
for the power set of a set X. 

Definition 2.1 (BBI-model). A BBI-modeZ is a relational commutative monoid, i.e. a tuple 
(R, o, e), where e € R and o : R x R — > V(R) are such that o is commutative and associative, 
with r o e = {r} for all r G R. Associativity of o is understood with respect to its pointwise 
extension to V{R) x V(R) — >• V(R), given by X oY = def \J xe x,yeY X °V- 

Note that we could equally well represent the operation o in a BBI-model (R, o, e) as 
a ternary relation, i.e. o C R x R x R, as is typical for the frame models used for modal 
logic [3] and relevant logic |44j . We view o as a binary function with type R x R —> V(R) 
because BBI-models are typically understood as abstract models of resource, in which o is 
understood as a (possibly non-deterministic) way of combining resources from the set R. 

Definition 2.2 (CBI-model). A CBI-model is given by a tuple (R, o,e, — , oo), where 
{R, o, e) is a BBI-model and — : R — > R and oo £ R are such that, for each x£fl, —x is 
the unique element of R satisfying ooCio —x. We extend ' — ' pointwise to V{R) — > V{R) 
by -X = def {-x | x € X}. 

We remark that, in our original definition of CBI-models [6], both oo and — x for x € R 
were defined as subsets of R, rather than elements of R. However, under such circumstances 
both —x and oo are forced to be singleton sets by the other conditions on CBI-modelsj. 
Thus there is no loss of generality in requiring —x and oo to be elements of R. 



In fact, oo is forced to be a singleton set because our models employ a single unit e and we have oo = ~e 
(see Prop 12.3]) . It is, however, possible to generalise our BBI-models to multi-unit models employing a set of 
units E C R such that xoE = {x} (cf. I17II7] 1 ). Then, in the corresponding definition of CBI-model, we have 
oo C R is not a singleton in general and —x is required to be the unique element in R with oo n (x o —x) ^= 0. 
However, as we shall show in Section [4j CBI is already complete with respect to the class of single-unit 
models provided by our Definition ^. 21 
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Proposition 2.3 (Properties of CBI-models). If (R, o, e, — , oo) is a CBI-model then: 

(1) Vx £ R. x = x; 

(2) — e = oo; 

(3) Vx, y, z € i?. 2 € x o y iff — x £ y o —z iff — y £ x o — z. 

Proo/. 

(1) By definition of CBI-models, and using commutativity of o, we have oo £ —x o x. 

However, again by definition, x is the unique y £ R such that oo £ —xoy. Thus 

we must have x = x. 

(2) We have that — e is the unique y £ R such that oo £ e o y. Since oo £ {oo} = e o oo 
by definition, we have — e = oo. 

(3) We prove that the two bi-implications hold by showing three implications. Suppose 
first that z £ x o y. Using associativity of o, we have: 

oo£zo — z C (ioj)o — z = x o (y o —z) 

Since — x is the unique w £ R such that oo6ioto,we must have — x £ y o —z. 

For the second implication, suppose that — x £ y o — z. By the first implication 
and part Q] above and commutativity of o, we then have as required: 

— y £ —z o x = x o — z = x o — z 

Finally, for the third implication, suppose that — y £ x o —z. Using the first and 

second implications together we obtain z £ y o x, i.e. z £ x o y as required. 

This completes the proof. 

□ 

We note that for any CBI-model (R, o, e, — , oo) based on a fixed underlying BBI- model 
(R, o, e), part[2]of Proposition 12.31 implies that the element oo is determined by the choice of 
' — ', while the CBI-model axiom in Definition 12.21 ensures that, conversely, '—'is determined 
by the choice of oo. We include both '— ' and oo in our model definition only for convenience. 

We now define the syntax of formulas of CBI, and their interpretation inside our CBI- 
models. We assume a fixed, countably infinite set V of propositional variables. 

Definition 2.4 (CBI- formula). Formulas of CBI are given by the following grammar: 

F ::= P\T\±\^F\FAF\FVF\F^F\ 
T* | _L* | ~F | F * F | F v- F \ F ~* F 

where P ranges over V. We treat the negations —> and ~ as having greater precedence than 
the other connectives, and use parentheses to disambiguate where necessary. As usual, we 
write F <-> G as an abbreviation for (F -> G) A (G -> F). 

We remark that the connectives of CBI-formulas are the standard connectives of BBI- 
formulas, plus a multiplicative falsity _L*, negation ~ and disjunction v". In order to define 
the interpretation of our formulas in a given model, we need as usual environments which 
interpret the propositional variables, and a satisfaction or "forcing" relation which interprets 
formulas as true or false relative to model elements in a given environment. 

Definition 2.5 (Environment). An environment for either a CBI-model (R, o, e, — , oo) or 
a BBI-model (R, o, e) is a function p : V — > V(R) interpreting propositional variables as 
subsets of R. An environment for a model M will sometimes be called an M -environment. 
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Definition 2.6 (CBI satisfaction relation). Let M = (R,o,e, — ,00) be a CBI-model. Sat- 
isfaction of a CBI-formula F by an M-environment p and an element r G R is denoted 
r |=p F and defined by structural induction on F as follows: 

r\= p P <^> r G p(P) 

r \= p T <^ always 

r \= p _L <^> never 

r ^ p -F «■ r ^ p F 

r ^ p F 1 A F 2 ^ r^ p F x and r ^ p F 2 

r^ p F 1 \/F 2 «■ r ^ p Fi or r ^ p F 2 

r |= p F ->• F 2 «=> r \= p F\ implies r |= p F 2 

r Np T* ^ r = e 
r ^ p _J_* -<4> r/cxD 

r h, ~F «■ -r ^ p F 

?" H/o -^1 * -^2 "^ 3ri, r 2 e£rerior 2 and n |= p F]_ and r 2 ^ p F 2 

r ^ p Fi v" F 2 -£4> Vri, r 2 G i?. — r G r\ o r 2 implies — r\ \= p F\ or — r 2 \= p F 2 

r |=p Fi — * F 2 44> Vr', r" G R. r" G r o r' and r' |= p F\ implies r" \= p F 2 

We remark that the above satisfaction relation for CBI is just an extension of the stan- 
dard satisfaction relation for BBI with the clauses for _L*, ~ and v". The interpretations of 
_L* and v", however, may be regarded as being determined by the interpretation of the mul- 
tiplicative negation ~ since, as we expect the classical relationships between multiplicative 
connectives to hold, we may simply define _L* to be ~T* and F v" G to be ~(~F * ~G). 
The interpretation of ~ itself will not surprise readers familiar with relevant logics, since 
negation there is usually semantically defined by the clause: 

x (= ~A 44> x* y= A 

where x and x* are points in a model related by the somewhat notorious "Routley star" , the 
philosophical interpretation of which has been the source of some angst for relevant logicians 
(see e.g. [33] for a discussion). In the setting of CBI, the involution operation ' — ' in a CBI- 
model plays the role of the Routley star. A more prosaic reason for our interpretation of 
~ is that it yields the expected semantic equivalences between formulas. Other definitions 
such as, e.g., the superficially appealing r \= p ~F <£> —r \= p F do not work, because the 
model operation ' — ' does not itself behave like a negation (it is not antitonic with respect 
to entailment, for instance). For example, in analogy to ordinary classical logic, we would 
expect that r \= p F — * G iff r \= p ~(F * ~G). However, satisfaction of — * involves universal 
quantification while satisfaction of * involves existential quantification, strongly suggesting 
that the incorporation of a Boolean negation into ~ is necessary to ensure such an outcome. 
One can also observe that the following is true in any CBI-model: 

—r \= p F 44> 00 G r o — r and —r \= p F 

<£4> 3r' 3 r" . r" G r o r' and r' \= p F and r" = 00 
i.e. — r \/= p F 44> W, r" . r" G r o r' and r' \= p F implies r" 7^ 00 

By interpreting _L* and ~ as we do in Definition 12. 6| we immediately obtain r \= p ~F iff 
r \= p F-*l*, another desired equivalence. 

Definition 2.7 (Formula validity). We say that a CBI-formula F is true in a CBI-model 
M = (R, o,e, — ,00) iff r \= p F for any M-environment p and r G R. F is said to be 
(CBl)-valid if it is true in all CBI-models. 
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Truth of BBI-formulas in BBI-models, and BBI- validity of formulas, is defined similarly. 
Lemma 2.8 (CBI equivalences). The following formulas are all CBI- valid: 

~T <+ _L F v 1 G o ~(~F * ~G) 

~T* <->■ _L* (F -* G) o ~F v 1 G 

~~F o F (F-*G) o (~G^~F) 

-,~F <-> — F (F-#G) o ~(F*~G) 

~F o (F -* _L) F V" _L* o F 

Proof. We fix an arbitrary CBI-model M and M-environment p. For each of the equiv- 
alences F f> G we require to show r \= p F 44> r \= p G. These follow directly from the 
definition of satisfaction, plus the properties of CBI-models given by Proposition 12.31 We 
show three of the cases in detail. 

Case (F -* G) O ~F % G: 

r \= p ~F v 1 G <£4> Wi, r2 G F. — r G ri o r2 implies — n ^ p ~F or — r2 ^ p G 

(by Prop 12.31 pt. [[]) 44> Vri, r2 G F. — r G r\ o r2 implies ri ^= p F or — r2 ^ p G 

44> Vri, r2 G R. — r G ri o r2 and ri |= p F implies — r2 ^ p G 

(by Prop 12.31 pt. [Q) 44> Vri, T2 G F. — r G ri o —V2 and T\ \= p F implies T2 \= p G 

(by Prop 12.31 pt. [3|) 44> Vri, r2 G F. r2 G r o r\ and ri \= p F implies r2 \= p G 

t$ r\= p F-*G 

Case (F -* G) <* (~G -* ~F); 

r ^ p ~G — * ~F <^> Vr', r" G R. r" G r o r' and r' |= p ~G implies r" \= p ~F 

<S> Vr', r" G F. r" G r o r' and — r' ^= p G implies — r" \/= p F 

(by Prop [El pt. CQ) O Vr', r" G F. -r" G r o -r' and r' ^ p G implies r" ^ p F 

^ y r ^ r " g f> _ r " g r _ r ' anc [ r " |_ _p implies r' ^ p G 

(by Prop E31 pt. EP O Vr', r" G F. r' G r o r" and r" ^ p F implies r' ^ p G 
O r h P F -* G 

Case F v" 1* <-> F: 

r \= p F v" _L* 44> Vri, r2 G R. — r G T\ o r2 implies — n |= p F or — r2 (= p -1* 

44> Vri, r2 G R. — r G T\ o r2 implies — n ^ p F or — r2 7^ 00 

(by Prop 12, 3j pt. EP 44> Vri, r2 G R. — r G n. ° r 2 implies — n \= p F or r2 7^ e 

44> Vri G F. — r G ri o e implies —7*1 (= p F 

44> Vri G R. —r = 7*1 implies —7*1 ^ p F 

^ r H P F 

a 

We remark that there is nevertheless at least one important classical equivalence whose 
multiplicative analogue does not hold in CBI in the strong sense of Lemma 12.81 the law 
of excluded middle, T* -f-)- F v - ~F, which (using the lemma) is equivalent to the law of 
contradiction, _L* -H- F * ~F. This equivalence certainly holds in one direction, since if 
r ^ p F * ~F then r G 7*1 o r2, ri ^ p F and — r2 ^= p F, so v\ 7^ — r2 and thus r 7^ 00 
by the CBI-model axiom, i.e. r ^ p _L*. The converse implication does not hold as, given 
r \= p _L* and some formula F, it clearly is not the case in general that r \= p F * ~F (e.g., 
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take F = _L). However, the law does hold in the weak sense that _L* is true in a model M 
iff F * ~P is true in M. One direction of the implication follows by the argument above, 
and the other from the fact that _L* is never true in M (because oo \/= p _L* for any p). 

One might be tempted to think that, since CBI-models are BBI-models and the defi- 
nition of satisfaction for CBI coincides with that of BBI when restricted to BBI- formulas, 
CBI and BBI might well be indistinguishable under such a restriction. Our next result 
establishes that this is by no means the case. 

Proposition 2.9 (Non-conservative extensionality) . CBI is a non-conservative extension 
of BBI. That is, every BBI- valid formula is also CBI- valid, but there is a BBI- formula that 
is CBI-valid but not BBI-valid. 

Proof. To see that BBI-valid formulas are also CBI-valid, let M = (P, o, e, — , oo) be a CBI- 
model, whence M' = (P, o, e) is a BBI-model. For any BBI-valid formula F we have that 
F is true in M' , and thus F is also true in M (because the definition of satisfaction of F 
coincides in CBI and BBI for BBI- formulas). Since M was arbitrarily chosen, F is CBI-valid 
as required. 

Now let P be a propositional variable and let I and J be abbreviations for BBI-formulas 
defined as follows: 

I =dcf -'T* -* _L 

J =dcf T * (T* A -.(P -* -./)) 

In a BBI-model (R, o, e), the formula I denotes "nonextensible" elements of R, i.e. those 
elements r G R such that r o r' = for all r' ^ e: 

r \= p I <^> W , r" G R. r" G r o r' and r' \= p -iT* implies r" \= p _L 

<=£> Vr', r" € R. r" € r o r' implies r' ^=p -■T* 

44> Vr', r" 6 i?. r" £ r o r' implies r' = e 

•4=> Vr' € i?. r' ^ e implies r o r' = 

The formula J is satisfied by an arbitrary element of R iff there exists some element of 
R that satisfies the proposition P and is nonextensible: 

r ^ p J 44> 3ri,r2 € -R. r G ri o r2 and n ^ p T and r2 ^ p T* A -i(P -* ->I) 

■^ 3ri, 7*2 G P. r G ri o r2 and r2 ^ p T* and r2 ^= p P —* ->I 

e> e^ p P^^I 

<=> 3r', r" G P. r" G e o r' and r' ^ p P but r" Y= p ->I 

<4> 3r' G P. r' G p(P) and r' ^ p I 

Note that in any CBI-model (P, o, e, — , oo), for any r G P we have r o — r 7^ since 
00 G r o — r by definition. Since 00 is the unique element x G P such that — x = e by 
Proposition 12. 3j, it follows that if r \= p I then r = 00. Thus, in CBI-models, if r \= p I and 
r \= p J then r = 00 G p(P), so the BBI- formula / A J — > P is CBI-valid. 

To see that /A J — >• P is not BBI-valid, consider the three-element model ({e, a, 6}, o, e), 
where o is defined by: eox = xoe = {x} for all x G {e, a, 6}, and x o y = for all other 
x,y G {e,a,6}. It is easy to verify that o is both commutative and associative and that e 
is a unit for o, so ({e, o, b}, o,e) is indeed a BBI-model. Now define an environment p for 
this model by p(P) = {a}. We have both a \= p I and b \= p I because a and b are both 
nonextensible in the model, and b \= p J because a \= p I and a G p(P)- Then we have 
b \= p I A J but b y= p P, so I A J — > P is false in this model and hence not BBI-valid. □ 
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If (R,o,e, — ,00) is a CBI-model and the cardinality of x o y is < 1 for all x,y £ R, 
then we understand o as a partial function R x R —>■ R in the obvious way. The following 
proposition shows that, if we were to restrict our class of CBI-models to those in which the 
binary operation is a partial function rather than a relation, we would obtain a different 
notion of validity. In other words, CBI is sufficiently expressive to distinguish between 
partial functional and relational CBI-models. 

Proposition 2.10 (Distinction of partial functional and relational CBI-models). CBI- 
validity does not coincide with validity in the class of partial functional CBI-models. That 
is, there is a CBI-formula that is not generally valid, but is true in every CBI-model 
(R, o, e, — , 00) in which o is a partial function. 

Proof. Let K and L be abbreviations for CBI-formulas defined as follows: 

K = dcf -.(-d.* ^ -.T) 
L =def ~d* -+ T* 

In a CBI-model (R, o, e, — , 00), the formula K is satisfied by those model elements that can 
be extended by 00 to obtain e: 

r \= p K <=> V, r" £ R. r" £ r o r' and r' \= p -d* but r" ^ p ^T* 

^ ^J./^ J," g ft J," g J. Q J.I anC J J.I — QQ an J J,'/ _ g 

-<=> e G r o 00 

Similarly, the formula L is satisfied by those elements that, whenever they are extended by 
00, always yield e: 

r ^p L <^> Vr', r" £ R. r" £ r o r' and r' (= p -i_L* implies r" ^ p T* 
^ y r ^ r /' ^ n r " ^ r r ' an j r ' — qq i m pii e s r " = e 

<^4> r o 00 C {e} 

Let M = (R,o,e, —,00} be a CBI-model in which o is a partial function, let p be an M- 
environment and let r £ R. Suppose that r ^ p K, so that e £ r o 00 by the above. Since 
o is a partial function, the cardinality of r o 00 is at most 1, so we must have r o 00 = {e}, 
i.e., r \= p L. Thus the formula K — » L is true in M, and so valid with respect to partial 
functional CBI-models. 

To see that K — > L is not generally valid, we must provide a CBI-model in which it 
is false. Consider the three-element model ({e, a, 00}, o, e, — , 00}, where — is defined by 
— e = 00, —a = a, —00 = e and o is defined as follows: 

eox = xoe = {x} for all x £ {e, a, 00} 
a o a = {e, 00} 

aooo = oooa = ooooo = {e, a} 

In this model e is a unit for o and o is commutative by construction. It can also easily be 
verified that is associative (e.g., a o (a o 00) = {e, a, 00} = (a o a) o 00) and that — x is the 
unique element such that 00 £ x o —x for all x £ {e, a, 00}. Thus ({e, a, 00}, o, e, — , 00} is 
indeed a CBI-model (and we note that o is not a partial function) . Now for any environment 
p we have a \= p K since e £ a o 00, but a ^= p L since a £ a o 00. Thus -ftT — > L is false in 
this model, and hence invalid. □ 
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Our proof of Proposition 12.101 does not transfer straightforwardly to BBI because it 
crucially relies upon the fact that, in CBI, we can write down a formula ( _i -L*) that is 
satisfied by exactly one model element (oo), which is not the unit e in general. Subsequent 
to submission of this paper, however, it has been shown by Larchey-Wendling and Galmiche 
that BBI is indeed incomplete with respect to partial functional models [30J. 



3. DLcBi: A DISPLAY CALCULUS PROOF SYSTEM FOR CBI 

In this section, we present DLcbu a display calculus for CBI based on Belnap's general 
display logic [2], which provides a generic framework for obtaining formal Gentzen-style 
consecution calculi for a large class of logics. Display calculi are akin to sequent calculi 
in that logical connectives are specified by a pair of introduction rules introducing the 
connective on the left and right of proof judgements respectively. However, the proof 
judgements of display calculi have a richer structure than an ordinary sequent, and thus we 
require a corresponding set of meta-level rules (called display postulates) for manipulating 
this structure. This ensures the characteristic, and very useful display property of display 
calculi: any proof judgement may be rearranged so that any given part of the judgement 
appears alone on one side of the turnstile (without loss of information). In addition to 
its conceptual elegance, this property ensures that cut-elimination holds for any display 
calculus whose structural rules obey a few easily verified conditions (cf. |2j). Our display 
calculus DLcbi indeed satisfies these cut-elimination conditions. Furthermore, it is sound 
and complete with respect to our CBI-models. 

Belnap's original formulation of display logic treats an arbitrary number of "families" 
of propositional connectives. The necessary structural connectives, display postulates and 
logical introduction rules are then ascribed automatically to each family, with only the 
structural rules governing the family chosen freely. For CBI, it is obvious that there are 
two complete families of propositional connectives, one additive and one multiplicative. 
Thus the formulation of DLcbi can be viewed as arising more or less directly from Belnap's 
general schema. 

The proof judgements of DLcbi, called consecutions, are built from structures which 
generalise the bunches used in existing proof systems for BI (cf . [39J ) . 

Definition 3.1 (Structure / consecution). A DLcbi -structure X is constructed according 
to the following grammar: 

X ::= F | | p: [ X; X | | \>X \ X, X 

where F ranges over CBI-formulas. If X and Y are structures then X h Y is said to be a 
consecution. 

Figure [T] gives a summary of the structural connectives of our display calculus and 
their semantic reading as antecedents (or premises) and consequents (or conclusions) in a 
consecution. However, the presence of the meta-level negations jj and b in our structures 
leads to a subtler notion of antecedent and consequent parts of consecutions than the simple 
left-right division of sequent calculus. Informally, moving inside a meta-level negation flips 
the interpretation of its immediate substructure. For example, if %X or \>X is an antecedent 
part then the substructure X should be interpreted as a consequent part, and vice versa. 
This notion is made formal by the following definition. 
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Connective Arity Antecedent meaning Consequent meaning 

_L 
! : _L* 






T 





T* 


1 


— 1 


1 


r\j 


2 


A 


2 


* 



V 

Figure 1: The structural connectives of DLcbi- 

Definition 3.2 (Antecedent part / consequent part). A structure occurrence W is said to 
be a part of another structure Z if W occurs as a substructure of Z (in the obvious sense). 
W is said to be a positive part of Z if W occurs inside an even number of occurrences of ft 
and b in Z, and a negative part of Z otherwise. 

A structure occurrence W is said to be an antecedent part of a consecution X h y if it 
is a positive part of A or a negative part of Y. W is said to be a consequent part of A h y 
if it is a negative part of A or a positive part of Y . 

To give the formal interpretation of our consecutions in the following definition, we 
employ a pair of mutually recursive functions to capture the dependency between antecedent 
and consequent interpretations. 

Definition 3.3 (Consecution validity). For any structure A we mutually define two for- 
mulas ^>x and T x by induction on the structure of A as follows: 
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- y is then wa/irf if ^x — > 


Ty 


is a valid formula (cf. Defn. [27 



We write a proof rule with a double line between premise and conclusion to indicate that 
it is bidirectional, i.e., that the roles of premise and conclusion may be reversed. A figure 
with three consecutions separated by two double lines is used to abbreviate two bidirectional 
rules in the obvious way. 

Definition 3.4 (Display-equivalence). Two consecutions A h Y and A' h Y' are said to 

be display-equivalent, written X \- Y =o X' h Y', if there is a derivation of one from the 
other using only the display postulates given in Figure [2j 

The display postulates for DLcbi ar e essentially Belnap's original display postulates, 
instantiated (twice) to the additive and multiplicative connective families of CBI. The only 
difference is that our postulates build commutativity of the comma and semicolon into the 
notion of display-equivalence, since in CBI both the conjunctions and both the disjunctions 
are commutative. 

The fundamental characteristic of display calculi is their ability to "display" structures 
occurring in a consecution by rearranging it using the display postulates. 
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(AD3a) 
(AD3b) 



(MD3a) 
(MD3b) 



Figure 2: The display postulates for DLcbi- 



Theorem 3.5 (Display theorem (Belnap |_2j)). For any antecedent part W of a consecution 
X \- Y there exists a structure Z such that W \- Z =d X \~Y . Similarly, for any consequent 
part W of X \- Y there exists a structure Z such that Z \- W =d X \- Y . 

Proof. Essentially, one uses the display postulates to move any structure surrounding W to 
the opposite side of the consecution, or to eliminate any preceding occurrences of ft and b 
(note that for each possible position of W in X h Y there are display postulates allowing 
the topmost level of structure above W to be moved away or eliminated). Moreover, each 
of the display postulates preserves antecedent and consequent parts of consecutions, so that 
W must end up on the correct side of the consecution at the end of this process. The details 
are straightforward. □ 

Example 3.6. The antecedent part Y of the consecution b(X, jJY") h Z; \>W can be displayed 
as follows: 



\>(X, PO h Z; \?W 

b(Z;bVF)hbb(X,|jy) 
\>\>\>{Z;bW) hbb(X,tfy) 



(MD3a) 
(MD3a,b) 



\>(X,$Y) ^\>\>(Z;bW) 
b(Z;bW) hXJY 
b(Z;bW),bX^#Y 

UY\-mZ;\>W)M) 



(MD3a) 
(MD3a) 
(MD2b) 
(AD3a) 
(AD3a,b) 



Y^mz;bW),bx) 

The proof rules of DLcbi are given in Figure [3j The identity rules consist of the usual 
identity axiom for propositional variables, a cut rule and a rule for display equivalence. 
The logical rules follow the division between left and right introduction rules familiar from 
sequent calculus. Note that, since we can appeal to Theorem 13.51 the formula introduced 
by a logical rule is always displayed in its conclusion. Both the identity rules and the logical 
rules are the standard ones for display logic, instantiated to CBI. The structural rules of 
DLcbi implement suitable associativity and unitary laws on both sides of consecutions, plus 
weakening and contraction for the (additive) semicolon. 
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Identity rules: 

(Id) 

PV P 



XV F fvy 
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XVY 
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Logical rules: 
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XhFt/G 

X,FhG 
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(vR) 

(-HRR) 



Structural rules: 

Ty ; (x ; y)hz 

(AAL) 



(W;X);YVZ 
0;Xhy 



xhy 

XV z 
X\YV Z 



(0L) 
(WkL) 



Tyh(x ; y) ; z 



iyhx ; (y ; z) 
xhy ; 



(AAR) 
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XVY-Z 



(0R) 
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(W,X),Y\-Z 

0,xhy 



(MAL) 



xhy 

X;X h Z 

XV z 



(0L) 
(CtrL) 



v^h(x,y),z 



w h x, (y, z) 

xhy.0 
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xhy 

Xh Z;Z 

XV z 
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Figure 3: The proof rules of DLcbi- W, X, Y, Z range over structures, F, G range over CBI- 
formulas and P ranges over V. 

The identity axiom of DLcbi is postulated only for propositional variableqj, but can be 
recovered for arbitrary formulas. We say a consecution is cut-free provable if it has a DLcbi 
proof containing no instances of (Cut). 



This is standard in display logic, and slightly simplifies the proof of cut-elimination. 
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Proposition 3.7. F h F is cut-free provable in DLcbi for any formula F. 

Proof. By structural induction on F. □ 

Theorem 3.8 (Cut-elimination). If a consecution X \- Y is provable in DLcbi then it is 
also cut-free provable. 

Proof. The DLcbi proof rules satisfy the conditions shown by Belnap in [2] to be sufficient 
for cut-elimination to hold. We state these conditions and indicate how they are verified in 
Appendix [A] □ 

The following corollary of Theorem l3.8l uses the notion of a subformula of a CBI-formula, 
defined in the usual way. 

Corollary 3.9 (Subformula property). If X h Y is DLcBi-provable then there is a DLcbi 
proof of X h Y in which every formula occurrence is a subformula of a formula occurring 
inXhY. 

Proof. If X h y is provable then it has a cut-free proof by Theorem 13.81 By inspection of 
the DLcbi rules, no rule instance in this proof can have in its premises any formula that is 
not a subformula of a formula occurring in its conclusion. Thus a cut-free proof of X h Y 
cannot contain any formulas which are not subformulas of formulas in X \- Y. rj 

Corollary 3.10 (Consistency). Neither h nor h is provable in DLcbi- 

Proof. If h were DLcBi-provable then, by the subformula property (Corollary I3.9|) 
there is a proof of h containing no formula occurrences anywhere. But every axiom of 
DLcbi contains a formula occurrence, so this is impossible. Then h cannot be provable 
either, otherwise 0;0 h 0;0 is provable by applying (WkL) and (WkR), whence h is 
provable by applying (0L) and (0R), which is a contradiction. □ 

Our main technical results concerning DLcbi are the following. 

Proposition 3.11 (Soundness). If X h Y is DLcBi-provable then it is valid. 

Proof. It suffices to show that each proof rule of DLcbi is locally sound in that validity of 
the conclusion follows from the validity of the premises. In the particular case of the display 
rule (=d), local soundness follows by establishing that each display postulate (see Figure [2]) 
is locally sound. We show how to deal with some sample rule cases. 

Case (-*L). Let M = {R, o, e, — , oo) be a CBI-model, let r G R and suppose r \= p F —* G, 
whence we require to show r \=„ ^fy x v" Ty. Using Lemma 12.81 it suffices to show that 
r \= p ^>x - * Ty. So, let r',r" € R be such that r" G r o r' and r' \= p *&x, whence we 
require to show r" \= p Ty. Since the premise X h F is valid and r' |= p ^x by assumption, 
we have r' \= p F. Then, since r \= p F — * G and r" E r or' , we have r" ^ p G. Finally, since 
the premise G h Y is valid by assumption, we have r" \= p Ty as required. 

Case (tyL). Let M = (-R, o, e, — , oo) be a CBI-model, let r G R and suppose r ^ p F v - G, 
whence we require to show r ^ p Tx $ Ty. So, let ri,T2 G i? be such that — r G n o r2, 
whence we require to show either — n ^ p Tx or — r2 (= p Ty. Since — r G n or2 and 
r \= p F V G, we have either n |= p -F or r2 |= p G. Then, since the premises Fhl and 
G \~ Y are assumed valid, we have the required conclusion in either case. 
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(Proposition [37 
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Figure 4: A cut-free DLcbi proof of ~-F I — i~F. 

Case (MAR). Both directions of the rule follow by establishing that for any CBI-model 
M = (R, o, e, -, oo) and r £ i? we have r ^ p T x ♦ (Ty v' T z ) iff r ^ p (T x v" Ty) ♦ T z . 
Using the equivalences F v" G O ~(~F * ~G) and ~~i^ f-> .p given by Lemma 12.81 it 
suffices to show that r ^ p ~(~Tx * (~Ty * ~T Z )) iff r ^ p ~((~Tx * ~Ty) * ~T Z ). This 
follows straightforwardly from the definition of satisfaction and the associativity of o. 

Case (MDla). We show how to treat one direction of this display postulate; the reverse 
direction is symmetric. Let M = (R,o,e,—,oo) be a CBI-model, let r € R and suppose 
that r \= p Vl/x; whence we require to show r \= p ~\Py V Tz- By Lemma 12.81 it suffices to 
show r \= p tyy ~* Tz- So let r',r" € R be such that r" € r o r' and r' \= p \I/y, whence 
we require to show r" \= p Tz- Since r \= p ^x we have r" \= p ^fx * *&Y, whence we have 
r" \= p Tz as required because the premise X, Y \- Z is assumed valid. □ 

Theorem 3.12 (Completeness of DLcbi)- If X \- Y is valid then it is provable in DLcbi- 

We give the proof of Theorem 13.121 in Section [U 

We remark that, although cut-free proofs in DLcbi enjoy the subformula property, they 
do not enjoy the analogous "substructure property" , and cut-free proof search in our system 
is still highly non-deterministic due to the presence of the display postulates and structural 
rules, the usage of which cannot be straightforwardly constrained in general. In FigureHJwe 
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give a sample cut-free proof of the consecution ~-iF I — i~F, which illustrates the problems. 
The applications of display-equivalence are required in order to apply the logical rules, as 
one would expect, but our derivation also makes essential use of contraction, weakening and 
a unitary law. It is plausible that the explicit use of at least some of these structural rules 
can be eliminated by suitable reformulations of the logical rules. However, the inherent 
nondeterminism in proof search cannot be removed by refining DLcbi without loss of power 
since, by soundness and completeness, provability in DLcbi is equivalent to validity in CBI, 
which has been recently shown undecidable by the first author and Kanovich [7J. This is not 
fundamentally surprising, since at least some displayable logics are known to be undecidable; 
indeed, one of Belnap's original applications of display logic was in giving a display calculus 
for the full relevant logic R, which was famously proven undecidable by Urquhart |48j . 
(Unfortunately, we cannot distinguish decidable display calculi from undecidable ones in 
general; the decidability of an arbitrary displayable logic was itself shown undecidable by 
Kracht [29].) 

Nonetheless, we argue that there are good reasons to prefer our DLcbi over arbitrary 
complete proof systems (e.g. Hilbert systems) without cut-elimination. Display calculi in- 
herit the main virtues of traditional Gentzen systems: they distinguish structural princi- 
ples from logical ones, and make explicit the considerable proof burden that exists at the 
meta-level, but nevertheless retain a theoretically very elegant and symmetric presentation. 
Furthermore, as a result of the subformula property one has in display calculi what might 
be called a property of "finite choice" for proof search: for any consecution there are only 
finitely many ways of applying any rule to it in a backwards fashioio 

4. Completeness of DLcbi 

In this section we prove completeness of our display calculus DLcbi with respect to 
validity in CBI-models. As in the case of the analogous result for BBI in [TO], our result 
hinges on a general completeness theorem for modal logic due to Sahlqvist. However, we 
also require an extra layer of translation between Hubert-style proofs and proofs in DLcbi- 

Our proof is divided into three main parts. First, in subsection 14.11 we reinvent CBI 
as a modal logic by defining a class of standard modal frames, with associated modalities 
corresponding to the standard CBI-model operations, that satisfy a certain set of modal logic 
axioms. By appealing to Sahlqvist's completeness theorem, we obtain a complete Hilbert- 
style proof theory for this class of frames. It then remains to connect the modal presentation 
of CBI to our standard presentation. In subsection 14.21 we show that the aforementioned 
class of modal frames is exactly the class of CBI-models given by Definition 12.21 Then, in 
subsection 14.31 we show how to translate any modal logic proof into a DLcbi proof. Thus 
we obtain the DLcBi-provability of any valid consecution. 

4.1. CBI as a modal logic. In this subsection we define the semantics of a modal logic 
corresponding to CBI, and obtain a complete proof theory with respect to this semantics, 
all using standard modal techniques (see e.g. [1]). 

We first define MLcbi frames, which are standard modal frames with associated modal- 
ities corresponding to the CBI-model operations in Definition 12.21 



In fact, this is not quite true as it stands because for any consecution there are infinitely many consecu- 
tions that are display-equivalent to it, obtained by "stacking" occurrences of [1 and b. However, by identifying 
structures such as (tjjJf and X, one obtains only finitely many display-equivalent consecutions. See e.g. |43] . 
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Definition 4.1.1 (Modal logic frames). An MLcbi frame is a tuple (R, o, — •, e, — ,00), 
where o : R x R ^ V{R), -• : P(B) x P(B) -)■ P(B), e C R, - : R ^ V{R), and 00 C P. 
We extend o to P(B) x P(B) -)■ P(B), and - to P(B) -> P(B), in the same pointwise 
manner as in Definition 12.21 If e is a singleton set then the frame is said to be unitary. 

Definition 4.1.2 (Modal logic formulas). Modal logic formulas A are defined by: 

A::=P\T \ J-\-*A\ A/\A\ AV A \ A -> A\e\oo\ -A\ AoA\ A-mA 

where P ranges over V. We remark that we read e, 00, — ,0, — • as modalities (with the 
obvious arities). We regard — > as having weaker precedence than these modalities, and use 
parentheses to disambiguate where necessary. 

The satisfaction relation for modal logic formulas in MLcbi frames is defined exactly 
as in Definition 12.61 for the additive connectives, and the modalities are given a "diamond" 
possibility interpretation: 

r £ e 

r € 00 

3r' £ R. r £ —{r') and r' \= p A 

3ri, r 2 £ R- r £ n o r 2 and n \= p A\ and r 2 \= p A 2 

3ri, r 2 £ R. r £ r\—»r 2 and n \= p A\ and r 2 \= p A 2 

We remark that the — • modality — which does not correspond directly to a CBI-model 
operation but should be read informally as —>(Ai — * ~^A 2 ) — will be helpful later in giving 
a modal axiomatisation of CBI-models; see Defn. 14.1.61 We could alternatively employ a 
modality corresponding directly to — *, but it is much more technically convenient to work 
exclusively with "diamond" modalities. 

Given any set A of modal logic axioms, we define A-models to be those MLcbi frames 
in which every axiom in A holds. The standard modal logic proof theory corresponding to 
the class of A-models is given by the following definition (cf. [4]). 

Definition 4.1.3 (Modal logic proof theory). The modal logic proof theory generated by 
a set A of modal logic axioms, denoted by LA, consists of some fixed finite axiomatisation 
of propositional classical logic, extended with the following axioms and proof rules: 

(A) : A for each A £ A 

(-.L): -±->± 

(o_L) : Pol^l 

K): (-L-.P)V(P-.±)->± 

(-V): -(PVQ)^-PV-Q 

(oV) : (P V Q) o R <-► (P o R) V (Q o R) 

(-•VL) : (PV Q) -• R++ (P -• R)V (Q -• R) 

(-•VR) : P -• (Q V R) <-> (P -• Q) V (P -• R) 

A^B A A A^B 

(MP) - (Subst) 



B A[B/P] (-A) ->- (-P) 

A^B A^B A^B 

(00) (o-«L) (o-»L) 



(A o C) ->■ (P o C) (C -• A) ->• (C -• B) (A -• C) -»• (B -• C) 
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where A,B,C range over modal logic formulas, P,Q,R are propositional variables, and 
A <H> B is as usual an abbreviation for (A —?■ B) A (B —?■ A) . 

Note that the axioms and rules for the modalities which are added to A by Defini- 
tion 2jT3] are just the axioms and rules of the standard modal logic K, instantiated to each 
of our "diamond" -type modalities e, oo, — , o and — •. We emphasise that, by definition, the 
latter are diamond modalities rather than logical connectives. In particular, the modality 
' — ' is not a negation (—A should be understood informally as the CBI-formula ~—>A), and is 
monotonic rather than antitonic with respect to entailment, as embodied by the rule (o— ). 
Similarly, the — • modality is monotonic in its left-hand argument because it is a diamond 
modality and not an implication. 

We now state a sufficient condition, due to Sahlqvist, for completeness of LA to hold 
with respect to the class of „4-models. 

Definition 4.1.4 (Very simple Sahlqvist formulas). A very simple Sahlqvist antecedent S 
is a formula given by the grammar: 

S ::= T | J_ | P | S A S \ e | oo | -S \ S o S \ S -• S 

where P ranges over V. A very simple Sahlqvist formula is a modal logic formula of the form 
S —> A + , where S is a very simple Sahlqvist antecedent and A + is a modal logic formula 
which is positive in that no propositional variable P in A + may occur inside the scope of 
an odd number of occurrences of -i. 

Theorem 4.1.5 (Sahlqvist [4]). Let A be a set of modal logic axioms consisting only of 
very simple Sahlqvist formulas. Then the modal logic proof theory LA is complete with 
respect to the class of .4-models. That is, if a modal logic formula F is valid with respect 
to „4-models then it is provable in LA. 

Definition 4.1.6 (Modal logic axioms for CBI). The axiom set AXcbi consists of the 
following modal logic formulas, where P, Q, R are propositional variables: 

(1) eoP-^P 

(2) P^eoP 

(3) PoQ^QoP 

(4) (PoQ)oR^Po(QoR) 

(5) Po(QoR)^(PoQ)oR 

(6) QA{RoP)^(R/\(P-»Q))oT 

By inspection we can observe that the AXcbi axioms (cf. Definition 14. 1.6j) are all very 
simple Sahlqvist formulas, whence we obtain from Theorem 14.1.51 

Corollary 4.1.7. If a modal logic formula F is valid with respect to AXcBi-models then 
it is provable in L AXcbi- 

We show that the completeness result transfers to unitary AXcBi-models. 

Lemma 4.1.8. Let M = {R, o, — •, e, — , oo) be an AXcbi model. Then there exist unitary 
AXcBi" m odels M x for each x € e such that the following hold: 

(1) M is the disjoint union of the models M x for x £ e. 

(2) A formula A is true in M iff it is true in M x for all x € e. 



(7) RA(P^Q) - 


-►(T- 


-(Q/ 


\(RoP))) 


(8) P^P 








(9) P -> P 








(10) -P->-(P-» 


oo) 






(11) (P-»oo)-» 


-p 
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Proof. For each x G e, the model M x is defined by restricting M to R x =def { r £ -R I 
{r} o {x} ^ 0}. Disjointness of models follows directly from the fact that (R,o,e) obeys 
the first five axioms of AXcbIi which characterize relational commutative monoids. Finally, 
(1) =4> (2) is a general result which holds in modal logic |3]. □ 

Corollary 4.1.9. If a modal logic formula F is valid with respect to unitary AXcBi-models 
then it is provable in LAXcbi- 

4.2. CBI-models as modal logic models. 

Lemma 4.2.1. If (R, o, e, — , oo) is a CBI-model then, for all X, Y, Z G V(R), we have: 

(1) X o Y = Y o X and X o (Y o Z) = (X o F) o Z and {e} o X = X 

(2) -X = X -• oo 

(3) X = X 

where X — • Y =d e f {^ G R \ 3x € X, y € y. y € x o z}. 

Proof. The required properties follow straightforwardly from the properties of CBI-models 
given by Definition 12.21 and Proposition 12.31 □ 

Lemma 4.2.2. Let (R, o, — »,e, — , oo) be an unitary AXcBi-model (so that e is a single- 
ton set). Then oo is a singleton set, and — x is a singleton set for any x £ R. Moreover, 
(R, o, e, — , oo) is a CBI-model with the modalities e, — , oo regarded as having the appropri- 
ate types. 

Proof. We first show that — x is a singleton by contradiction, using the fact that x = 

{x} must hold for any set x, as a consequence of axioms (8) and (9). If — x = then 

x = \J ye _ x —y = 0, which contradicts x = {x}. If X\,X2 € — x with x\ ^ X2, then 

—X\ U — X2 C x. Also, —x\ ^ — X2, otherwise we would have \x\\ = x\ = X2 = 

{X2} and thus x\ = X2- Since —x\ and — X2 have cardinality > (see above), x must 

have cardinality > 1, which contradicts x = {x}. 

We prove that oo is a singleton by deriving oo = — e. Using the axioms in Defini- 
tion [HS1 w e will show that e — • X = X must hold for any set X. This fact, together with 
axioms (10) and (11) instantiated with P = e gives the desired consequence oo = — e. 

It remains to show e — • X = X. Axioms (6) and (7) give the two directions of: 

qGropiErGp— • q 
for any p,q,r € R, and axioms (1), (2) and (3) give, for any x £ R: 

x o e = {x} 
Therefore we have that, for any x € R: 

iGe-iIiff (3x' eli6e-»n/)iff (3a/ G X. x' G x o e) iff x o e C X iff x G X. 

□ 
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Definition 4.2.3 (Embedding of CBI-models in AXcBi-models). Let M = (R,o,e,—,oo) 
be a CBI-model. The tuple r M n = (R, o, — •, e, — , oo) is obtained by regarding e, — , oo as 
having the same types as in Definition 14 . 1 . 1 1 in the obvious way, and by defining the modality 
-• : V(R) x V{R) -> V(R) by X -• Y = def {z e R\3x e X,y eY.y £ x o z}. 

Lemma 4.2.4. If M is a CBI-model then r M n is a unitary AXcBi-model. Moreover, the 
function r — n is a bijection between CBI-models and unitary AXcBi-models. 

Proof. First observe that in any MLcbi frame (R, o,— «,e, — , oo), the AXcbi axioms ([6]) 
and © hold iff we have, for all X, Y in V(R): 

X-»Y = {z£R\3x£X,y£Y.y£xoz} 

Let M be a CBI-model. Then axioms ([6]) and ([7]) hold in r M~ l by the above observation. The 
remaining AXcbi axioms hold in r M n as a direct consequence of Lemma 14.2.11 Therefore 
r M~ l is a unitary AXcBi-model. 

It remains to show that r — n is a bijection. Injectivity is immediate by definition. For 
surjectivity, let M' = (R, o, — •, e, — , oo) be a unitary AXcbi model. By Lemma l4.2.2l we have 
that (R, o, e, — , oo) is a CBI-model. Since the interpretation of — • is determined by o because 
of the above observation about axioms ([6]) and ([Z]), it follows that r (R, o, e, — , oo)" 1 = M', 
hence r — n is surjective. D 

Definition 4.2.5 (Translation of CBI-formulas to modal logic formulas). We define a func- 
tion r — n from CBI-formulas to modal logic formulas by induction on the structure of CBI- 
formulas, as follows: 

where F G {F, T, 1} 
where ? G {A, V,— ^} 



r F n 


= 


F 


i — p*~i 


= 


e 


r Fi?iV 


= 


r F! n ? r F 2 n 


r Fi * F 2 n 


= 


r F^ o r F 2 n 


r Fi -* F 2 n 


= 


^(r Fl n _^ ^rp 2 


r ^F n 


= 


^ r F n 


rj_*n 


= 


— lOO 


r^i?"i 


= 


^- r F n 


r F x ^ F 2 n 


= 


-(-^ro- 



- r F 2 ^) 

where F in the first clause ranges over V. We extend the domain of r — n to DLcbi conse- 
cutions by: 

r IhP = r ^ x n -► r Ty n 
where ^_ and T_ are the functions given in Definition 13.31 

In the following, we write F[G/P] to denote the result of substituting the formula G 
for all occurrences of the propositional variable F in the formula F. This notation applies 
both to CBI-formulas and to modal logic formulas. 

Lemma 4.2.6. Let F be a CBI- formula, and M = (R, o, e, — , oo) a CBI-model. Then F is 
true in M if and only if r F n is true in r M n . 

Proof. Let F be a CBI-formula and A a modal logic formula. We define F ~ A to hold iff 
for all environments p, and all r G F, the following holds: 

r ^ p F wrt. Af <^ r ^ p A wrt. r M n 

The proof is divided into two parts. The first part establishes the following properties: 
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(1) F ~ A and G ~ P implies F[G/P] ~ A[B/P] 

(2) T* ~ e 

(3) P 1 *P 2 ~P 1 o P 2 

(4) Pi -* P 2 ~ -.(Pi ^. -P 2 ) 

(5) JL* ~ ^oo 

(6) ~P~^-P 

(7) Pi $ P 2 ~ —(—Pi o —P 2 ) 

We show one interesting case (7). By Lemma 12.81 we have that Pi v" P 2 is equivalent to 
~(~Pi * ~P 2 ), therefore it is sufficient to prove ~(~Pi * ~P 2 ) ~ ~>—{~>—Pi ° _1 — P2)- By 
(6) we have ~Pj ~ -i— Pj for i € {1,2}, hence by (1) and (3) we obtain (~Pi * ~P 2 ) — 
(-1— Pi o -i— P 2 ). Thus by (1) and (6) we conclude ~(~Pi * ~P 2 ) — -i— (-i— Pi o -■— P 2 ), as 
required. 

The second part establishes F ~ r P n by induction on the structure of F, using the 
results from the first part. □ 

Proposition 4.2.7. A consecution X h Y is valid (wrt. CBI-models) iff r ^x — > Yy" 1 is 
valid wrt. unitary AXcBl-models. 



Proof. By definition, X h Y is valid iff \P x -^ Yy is true in every CBI-model M. By 
Lemma 14.2.61 this is equivalent to: 

r ^x -^ Ty n is true in r M~ l for every CBI-model M 

Since r — n is a bijection onto unitary AXcBl-models by Lemma 14.2.41 this is equivalent to: 

r ^fx - > Ty n is true in all unitary AXcBl-models 

i.e. r ^fx —* Ty n is valid wrt. unitary AXcBi" m odels. □ 

By combining Proposition 14.2.71 and Corollary 14.1.91 we obtain the following key inter- 
mediate result towards completeness for DLcbi: 

Corollary 4.2.8. If X \- Y is a valid consecution then r ^fx ~ ► Ty n is provable in LAXcbi- 

4.3. Prom modal logic proofs to DLcbi proofs. 

Definition 4.3.1 (Translation from modal logic formulas to CBI- formulas). We define a 
function q from modal logic formulas to CBI-formulas by induction on the structure of 
CBI-formulas, as follows: 

where A € {P, T,_L} 
where ? G {A,V,->} 



A 


— 


A 


,^A, 


— 


->4, 


L ti 




C.Z1 


L Ai ? A 2j 


= 


Ah 1 A^ 


Ai o A 2j 


= 


Ah * A*J 


A-i -• A 2j 


= 


-(A, -* -^ 


i_ej 


= 


T* 


rA 


= 


-i~A 



loOj = -i_L 

Proposition 4.3.2. The axioms and proof rules of LAXcbi (cf. Defn. l4~l.3p are admissible 
in DLcbi under the embedding A \— >• (0 h L A J ) from modal logic formulas to consecutions. 
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(Prop. 1X71) 



(=d) 
(Prop. E3) (->L) 



(WkR) 



PhP -nQI-ltQ;(.RA-.(P-*-.Q))*T 

HL) 

m _ P^-QhbP, tfQ; PA-P^-Q *T 

(Prop.EjJ) (=d) (TR) 

; ji(bP,(|tQ;(flA-(P^-.Q))*T))l-|tP^-.Q 0hT 

(-.R) (WkR) 

Phi? tf(bP, (JtQ; (P A -.(P -» -.Q)) * T)) h -.(P -» -.Q) 0; P h T 

(AR) (0R) 

P; (((bP, (KQ; (P A -.(P -* -.Q)) * T)) h P A -.(P -* -.Q) P h T 

(*R) 

(P; «(bP, (||Q; (P A ->(P -* -.Q)) * T ))), P h (P A -,(P -* -,Q)) * T 

(WkR) 

(P; jj(bP, (jjQ; (P A -,(P -* -,Q)) * T))), P h flQ; (P A -.(P -* -,Q)) * T 

R h (bP, («Q; (P A -(P -* -0)) * T)); (bP, (|}Q; (P A -.(P -* ->Q)) * T)) "^ 

CtrR) 

R h bP, (KQ; (P A -.(P -* -,Q)) * T) 

P,PhjjQ;(PA^(P^^Q))*T 

(*L) 



P * P h jjQ; (P A -.(P -* -.Q)) * T 

Q; P * P h (P A -.(P -* -,Q)) * T 

(AL) 

g A (P * P) h (P A -.(P -* -.Q)) * T 

(0L) 

3; Q A (P * P) h (P A -.(P -* -,Q)) * T 

HR) 

h Q A (P * P) ->■ (P A -.(P -* -.Q)) * T 



Figure 5: A DLcbi derivation of the LAXcbi axiom (jSJ) under the embedding A t-y (0 h t A J ), 
needed for the proof of Proposition 14.3.21 

Proof. First, we note that all of the proof rules of LAXcbi, except (Subst), are easily 
derivable in DLcbi under the embedding. The rule (Subst) is admissible in DLcbi (under 
the embedding) because each of its proof rules is closed under the substitution of arbitrary 
formulas for propositional variables; in the case of the axiom rule (Id) this requires an appeal 
to Proposition 13.71 

It remains to show that h A. is DLcBi-derivable for every axiom A of LAXcbi- The 
AXcbi axioms are mainly straightforward, with the chief exceptions being axioms (jHJ) and 
(J7J. (We remark that axioms (8) and (9) are straightforward once one has DLcbi proofs 

that -i and ~ commute; see Figured] for a proof of ~-iP I i~F.) In the case of AXcbi 

axiom (jSJ), we need to show the consecution h Q A (R * P) — > (R A -i(P -*■ -*Q)) * T is 
provable in DLcbi- We give a suitable derivation in Figure [5j The treatment of AXcbi 
axiom flTJ is broadly similar. It remains to treat the generic modal logic axioms of LAXcbi , 
which again are mainly straightforward and involve showing distribution of the modalities 
over V. E.g., in the case of the axiom (— •VL) we require to show that I i((P V Q) — * 
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(Id) (Id) 

R \- R R h R 

<=d) -N 



tt-R I- W W I- tt-R 

(Id) — HL) (Id) (-nL) 

Phi 5 -,p h p g h o -.p, h tti? 

(-*L) f-*L) 

P -* -.P h bP, tti? Q^-flh bQ, t)P 

(WkL) (WkL) 



nP; Q -* -.P h bP, HP P -* -nP; Q -* -.P H bQ, ))P 

(— d) — — ; — (=£>) 



P h t)P, b(P -* ^P; Q -* -.P) Q h |)P, b(P -* -.P; Q -* -.P) 

(VL) 

P V Q h (t)P, b(P -^ -.P; Q -* -.P)); ()JP, b(P -* -.P; Q -* -.P)) 

(CtrR) 

P V Q h )JP, b(P -* --P; Q -* -nP) 

(P -* -.fl; Q -* -,#.), P V Q h [IP 

(-R) 

H-R) 



P -* -.P; Q -* ^P h (P V Q) -* -.P 
tt(P V Q) -* -hP; Q -* -.P h t)P -* -iP 

(-R) 

ft(P V Q) -* -.#; Q -* -,P h -.(P -* -.P) 

it(P V Q) -* --P; |t-.(P -+ -.£) h flQ -* -P 
(-R) 

J(PVQ)^^;H-P^^)^(Q^^) 

tt(P V Q) -* -P h -.(P -* ->R); -.(Q -* -P) 

(-L) 

-.((P V Q) -* ->R) \- -.(P -* --P); -.(Q -* --P) 

(VR) 

-.((P V Q) -* -hP) h -.(P -* -nP) V -.(Q -k -.P) 

(0L) 

0; -.((P V Q) -* -,P) h -.(P -♦ -nP) V -.(Q -* -,P) 

(->R) 

h -.((P V Q) -* -,P) -► -,(P -* -.P) V -.(Q -* -,P) 

Figure 6: A DLcbi derivation of (one direction of) the LAXcbi axiom (— •VL) under the 
embedding ^4 i — > (0 I— ] A 1 ), needed for the proof of Proposition 14,3.21 

-iR) <->• -i(P — * ->R) V->(Q—* ->R) is DLcBi-derivable. We give a derivation of one direction 
of this bi-implication in Figure El The other direction of the bi-implication, and the other 
axioms, are derived in a similar fashion. □ 

The following corollary of Proposition l4.3.2"l is immediate by induction over the structure 
of LAXcbi proofs. 

Corollary 4.3.3. If A is provable in LAXcbi then (- ^ is provable in DLcbi- 

We write F -\\- G, where F and G are CBI-formulas, to mean that both F \- G and 
G \~ F are provable (in DLcbi), and call F -\\- G a derivable equivalence (of DLcbi)- We 
observe that derivable equivalence in DLcbi is indeed an equivalence relation: it is reflexive 
by Proposition 13.71 symmetric by definition and transitive by the DLcbi rule (Cut). 

Lemma 4.3.4. F -\\- [F~^ is a derivable equivalence of DLcbi for any CBI-formula F. 
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(I.H.) (I.H.) 



F h L r F^ F 2 h rj?,,-. 

(=*) : „ . . i=n) 



b[F^ h bFi b.^ h bF 2 

^ (~L) ^ (~L) 

~ L r Fl n h \?Fx ~[F 2 ^ h bF 2 

" (sd) -^ (s D ) 



tibFi h |j~ L r *i j tfbF 2 h H^ L r F 2 ^ 

(-iR) (-iR) 

flbFi h -.^Fx^ tfbF 2 h i~ [F 2 ^ 

—^^ L r^(^) 

^^ HL) ^^ (-nL) 

- , -'~L^i j h b ^i — ^-^ 1- bF 2 

(^) — (=d) 



F 



Fi h b™, r Fi n , F 2 h b™, r Fi 

-(^L) 

Fi tf F 2 h b^^n b ^ r^n 

™ L r F n J5 — ^ I" ^ $ F 2 

/ T \ 

-.-. ~, r Fi "J. * ™ L r F 2 ^ h bFx $ F 2 
Fi tf F 2 h b™ L r Fx^ * ™ L r F 2 ^ 

^ fr F 2 h -(^-^F^ * -n^Tgj) 

. -(-."-^FiT, * -.-. ~ L r FTJ h ttF ♦ F 2 
— - — C— ■— ■ — L f ij * — ~ L r ^2 n J h (tFi $ F 2 " 
Fi ♦ F 2 h fl-.~(-.-. ~ L r F x ^ * -■-, ~ L r F 2 ^) 

(-R) 

Fi $ F 2 h -,-,~(-,-,~ r^n * _,_,„ r^n) 
Figure 7: A DLcbi proof for the non-trivial case of Lemma 14.3.41 

Proof. By combining the definitions of r — n and L — j (cf. Defns. 14.2.51 and 14. 3. ip we obtain 
the following definition of ^ — "*, given by structural induction on CBI-formulas: 

rp^ = F where F G {P, T, 1, T*} 

[F X 1F 2 ^ = [F^l [F 2 ^ where?G{A,V,^,*} 

r in _ I * 

L J 

r^i?n = -,-,^r_pn 
L r Fi^F 2 ^ = - I -,(r L Fl V_ H( _,_ I r i r 2 -i) 
r Fi v" F 2 n = -i-.~(-,-,^r|? 1 -i i * _,_,^r_p 2 H) 

With this in mind, we now proceed by structural induction on F. The base cases, in 
which ^ F "T = F, are immediate since F Hh F is a derivable equivalence of DLcbi by 
Proposition 13.71 Most of the other cases are straightforward using the induction hypothesis 
and the fact that —>—>F Hh F is easily seen to be a derivable equivalence of DLcbi- We show 
one direction of the only non-trivial case, F = F\ v" F 2 , in Figure [71 The reverse direction 
is similar. □ 
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The following two lemmas, which show how to construct proofs of arbitrary valid con- 
secutions given proofs of arbitrary valid formulas, are standard in showing completeness of 
display calculi relative to Hilbert-style proof systems, and were first employed by Gore [24] . 



Lemma 4.3.5. For any structure X the consecutions X h \& x and Tx r- X are both 
DLcBi-provable. 

Proof. By structural induction on X. The case where X is a formula F follows directly from 
Proposition 13.71 The other cases all follow straightforwardly from the induction hypothesis 
and the logical rules of DLcbi- E.g., when X = \>Y we have ^x = ~Ty and T x = ~*y, 
and proceed as follows: 

(I.H.) (I.H.) 

Tyhy yh$ y 

(=d) ■ — {=D) 



\>Y h \>r Y " t>*y h w 

(„ R ) („ L ) 

The remaining cases are similar. □ 

Lemma 4.3.6. If h [^ x -> Ty^ is DL C Bi-provable then so is X h Y. 

Proof. We first note that /~\Px — >• Ty^ = ^ ^-X' j ~~ * iT^^Ti' an< ^ then build a DLcbi proof 
of X \- Y as follows: 

(Lemma B.3.5P (Lemma I?. 3. 41) (Lemma |4".3.4I) (Lemma |4".3.5|) 



(assumption) 


Xh** ^h^*;^ L r Ty^hTy Tyh7 

(Cut) (Cut) 


h L r *x n j -4 L r Ty^ 


L r %^ L r Ty^(i ; y 

(Cntl 




0hpr ; Y 

0;Xhy 
(0L) 



X hF 

D 

We can now prove the completeness of DLcbi with respect to CBI-validity. 

Proof of Theorem \3. 12\ Let X \- Y be a valid consecution. Then r ^fx —> Ty n is LAXcbi- 
provable by Corollary |4.2.81 By Corollary 14. 3. 31 h [^x — ^ Ty^ is then provable in DLcbi 
and thus, by Lemma f4. 3 .61 X h Y is DLcBi-provable as required. 

5. Examples of CBI-models 

In this section we give some concrete examples of CBI-models, and some general con- 
structions for forming new models. In most of our examples the relational monoid operation 
o is actually a partial function, and in these cases we treat it as such (e.g., by writing xoy = z 
rather than x o y = {z}). 
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Proposition 5.1 (Abelian groups as CBI-models). Any Abelian group (R, o,e, — ) can be 
understood as a CBI-model (R,o,e,—,e). Conversely, if (R, o,e, — , oo) is a CBI-model 
with o a partial function, then imposing the condition oo = e forces o to be total, whence 
(R, o, e, — } is an Abelian group. 

Proof. (=^>) Let (R, o, e, — ) be an Abelian group. To see that (R, o, e) is a BBI-model, we 
just note that o is associative and commutative and that e is the unit of o by the group 
axioms. By the uniqueness of group inverses, we then have that — x is the unique y such 
that e G x o y. Thus (R, o, e, — , e) is a CBI-model, as required. 

(<£=) Let (R, o, e, — , oo) be a CBI-model with oo = e and o a partial function. First note 
that, by the latter two facts, we have — x o x = oo = e for all x £ i?. Now for any x, y € R 
we observe that — x o (x oy) = {—x ox)oy = eoy = y. Thus — x o (x o y) is defined, which 
can only be the case if x o y is defined. Thus o is in fact a total function. 

To see that (R, o, e, — ) is an Abelian group, we first observe that, since o is a total 
function by the above, (R, o,e) is a total commutative monoid by the conditions imposed 
on BBI-models. The uniqueness of group inverses then follows immediately from the CBI- 
model conditions and the fact that oo = e. □ 

The following example, which looks at some typical resource interpretations of CBI- 
formulas inside an Abelian group model, builds on the "vending machine" model for BI 
given by Pym, O'Hearn and Yang [40], which itself was inspired by Girard's well-known 
"Marlboro and Camel" illustration of linear logic [23J. 

Example 5.2 (Personal finance). Let (Z, +,0, — ) be the Abelian group of integers under 
addition with identity 0, where — is the usual unary minus. This group can be understood 
as a CBI-model (Z,+,0, — ,0) by Proposition 15.11 We view the elements of this model as 
financial resources, i.e money (which we shall measure in pounds sterling, £), with positive 
and negative integers representing respectively credit and debt. We read the CBI-satisfaction 
relation £m \= p F informally as a £m is enough to make F true", and show how to read 
some example CBI-formulas according to this interpretation. 

Let C and W be atomic formulas denoting respectively the ability to buy cigarettes 
costing £5 and whisky costing £20, so that we have £m \= p C 44> m > 5 and £m \= p W <^> 
m > 20. Then the formula C AW denotes the ability to buy cigarettes and the ability to 
buy whisky (but not necessarily to buy both together): 

£m^ p C AW & £m \= p C and £m \= p W 
■^ to > 5 and m > 20 
& m > 20 

In contrast, the formula C * W denotes the ability to buy both cigarettes and whisky 
together: 

£m \= p C *W <f$ 3mi, 77i2 € Z. £m = £m\ + £rri2 and £m\ \= p C and £rri2 \= p W 

<^> 3mi, 7772 € Z. 777 = 777i + 777-2 & n d 777i > 5 and 7772 > 20 
44> 777 > 25 
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The multiplicative implication C — * W denotes the fact that if one acquires enough money 
to buy cigarettes then the resulting balance of funds is sufficient to buy whisky: 

£m\= p C^W o Vm'G Z. £mf hp C implies £m + £m' ^ p W 
44> Vm' E Z. m' > 5 implies m + m' > 20 
44> m > 15 

We remark that all of the above formulas are BBI-formulas, and so would be interpreted in 
exactly the same way in the BBI-model (Z, +, 0). Let us examine the multiplicative connec- 
tives that are particular to CBI. We have £m \= p _L* <^> m ^ 0, so that _L* simply denotes 
the fact that one has either some credit or some debt. (This is exactly the interpretation 
of the formula -iT*, a collapse induced by the fact that e and oo coincide in the Abelian 
group model.) Now consider the formula ~C. We have: 

£m \= p ~C ^ -£m \^ p C t$ -m < 5 44> m > -5 

So ~C denotes the fact that one's debt, if any, is strictly less than the price of a pack of 
cigarettes. As for the multiplicative disjunction, C v" W, we have: 

£m ^ p C v- W 
44> Vmi,m2 € Z. —£m = £m\ + £rri2 implies —£m\ \= p C or —£rri2 \= p W 
44> Vmi, mi G Z. — m = mi + 7772 implies — m\ > 5 or — mi > 20 
44> Vmi, m2 € Z. TTi + mi + ?r i2 = implies mi < —5 or 7772 < —20 
44> Vmi, 7772 £ 2. (777, + 777i + m 2 = and mi > —5) implies 777,2 < — 20 
44> 777 > 24 

It is not immediately obvious how to read this formula informally. However, observing that 
C v" W is semantically equivalent to ~C — * W and to ^W — * C, the meaning becomes 
perfectly clear: if one spends strictly less than the price of a pack of cigarettes, then one 
will still have enough money to buy whisky, and vice versa. 

We remark that, in fact, there is a logic in the relevantist mould, called Abelian logic, 
whose models are exactly the lattice-ordered Abelian groups [33 1 . 



Proposition 5.3 (Effect algebras as CBI-models). Effect algebras, which arise in the 
mathematical foundations of quantum- mechanical systems |20| . are exactly CBI-models 
(R, o, e, — , 00) such that o is a partial function and 00 is nonextensible (i.e. x o 00 is unde- 
fined for all i^e). 

The CBI-models constructed in the next examples are all effect algebras. 

Example 5.4 (Languages). Let E be an alphabet and let £(£) be any set of languages 
over S that is closed under union and complement and contains the empty language e (e.g., 
the set of regular languages over E). Write E* for the set of all words over E, and note 
that E* E jC(E). Let L\ + L2 be the union of disjoint languages L\ and L2, with L\ + L2 
undefined if L\ and L2 are not disjoint. Clearly (£(E),+,e) is a partial commutative 
monoid. Furthermore, for any language L, its complement L = E* \ L is the unique 
language such that L + L = E*. Thus (£(E), +, e,", E*) is a CBI-model. To see that it 
is also an effect algebra, just notice that + is a partial function and E* is nonextensible 
because E* + L is undefined for any L ^ e. 

Example 5.5 (Action communication). Let A be any set of objects (to be understood as 
CCS-style "actions" |2U), define the set A = {a \ a £ A} to be disjoint from A, and let 
elements 0, r (£ Au A, whence we write B =d e f A U A U {0, r}. We extend the operation 
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■ to B — > B by =d e f r and a =d e f a, and define a partial binary operation • | • with type 
B x B —^ B as follows: 



b 


if c = 


T 


if c = b 


undefined 


otherwise 



o I c = do f 

The operation • | • models a very simplistic version of communication between actions: 
communication with the empty action has no effect, communication between a pair of 
dual actions b and b (which may be read, e.g., as "send b" and "receive 6") results in the 
"successful communication" action r, and all other communications are disallowed. It is 
easy to check that (B, -|-, 0) is a partial commutative monoid. Furthermore, for any b € B, 
we clearly have b the unique element with b \ b = r. Thus (B,- \ ■ ,0,~, r) is a CBI- 
model. Furthermore, it is clearly an effect algebra, because • | • is a partial function and r 
is nonextensible. 

Example 5.6 (Generalised heaps). A natural question is whether the heap models of BBI 
employed in separation logic (see e.g. [11]) are also CBI-models. Consider the basic heap 
model given by the partial commutative monoid {H, o, e), where H =d e f N ^fi n Z is the set 
of heaps (i.e. partial functions mapping finitely many natural numbers to integers), hi o h 2 
is the union of partial functions hi and h 2 when their domains are disjoint (and undefined 
otherwise), and e is the function with empty domain. Unfortunately, no choice of 00 for 
(H, o, e) gives rise to a CBI-model. 

However, it is possible to embed the set of heaps H above into a more general structure 
{H 1 , o', e'), where H' =def N — > V(Z) is the set of (total) functions from natural numbers to 
sets of integers (we may additionally require that h(n) 7^ for finitely or cofinitely many 
re € N). Then o' : H' X H' — x H' is defined by: if hi(n) and h2(n) are disjoint for all re, 
then (hi o' h2)(n) = hi(n) U /i2( n )> otherwise hi o' /i 2 is undefined. The unit e' is defined 
by e'(re) = for all n G N. A CBI-model (H',o',e' ,—,00) is then obtained by defining 
oo(re) = Z and (— h)(n) = Z \ h(n) for all n G N. 

We note that this model behaves quite differently than (H, o, e): generalised heaps with 
overlapping domains can be composed providing that their contents do not overlap for any 
point in the domain. We consider the interpretation of some "separation logic-like" formulas 
inside this model. Let ICZbe some fixed set of integers and define the atomic formula 
4 1— > X by the following: 

h^pA^X & h(A) = X 
i.e., the formula 4 1— > X denotes those generalised heaps with contents exactly X at location 
4. This can be seen as the set-based analogue of the h-> predicate in standard separation 
logic [45] (with fixed arguments for simplicity, as we are working in a propositional setting). 
Then we have, for example: 

h \= p (4 H> X) * T 44> h = hi o' h 2 and hi \= p 4 •->• X and h 2 \= p T 

^ (Vre g N. h{n) = hi{n) U h 2 {n)) and fa (4) = X 
^ X C /i(4) 

so that the formula (4 1— > X) * T denotes the general heaps which contain every element of 
X at location 4. If we then take the multiplicative negation of this formula, we have, using 
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the above: 

h ^ p ~((4 ^ X) * T) o -/i^ p (4^X)*T 

O X2(-/,)(4) 

O X£(Z\/i(4)) 

44> 3x G X. x G /i(4) 
i.e., this formula denotes the general heaps containing some element from X at location 4. 
So, in this case, the multiplicative negation has the effect of changing a universal quantifier 
to an existential one. The meaning of multiplicative disjunctions, however, is typically very 
complicated. For example, picking a second set Y C Z and defining the atomic formula 
4 i— ?> y in the same way as 4 i— > X, we have, using previous derivations: 

h h P ((4 •-»• X) * T) v 1 ((4 ^ y) * T) 
O /j^~((4Hl)*T)n<((4^y)*T) (by Lemma EHD 
*> W. (h o' ti defined and ti ^ p ~((4 H- X) * T)) implies /i o ti \= p (4 ^ Y) * T 
^=> V/i'. \h o' fc' defined and 3x G X. x G /i'(4)) implies y C /i(4) U h'(4) 
*> X C /i(4) or y C /i(4) or 3z G Z. (X \ fc(4)) = (T \ /»(4)) = {z} 

so that this disjunction denotes those general heaps that either contain one of X and Y, or 
are missing a single common element from X and Y, at location 4. We give a short proof 
of the last equivalence above, since it is not especially obvious. 

(<=)■ If X C h(A) then the required implication holds vacuously because x G X n /i'(4) 
implies ho' h' is undefined. If y C /i(4) then the implication also holds trivially because the 
consequent is immediately true. Lastly, suppose X \ h{4) =Y\ h{4) = {z}. Let h! be any 
heap with h o' h! defined and x G /i'(4) for some x G X. We must then have x = z because 
h(A) and /i'(4) must be disjoint and X \ /i(4) = {z}. Then, since also Y \ /i(4) = {z},we 
have y C h(4) U {z} C h{4) U /i'(4) as required. 

(=/•). If X C /i(4) or y C /i(4) we are trivially done. Now suppose that X <2 fo(4) and 
y ^ ^(4), so that there are x G X \ /i(4) and y£y\ /i(4). Let ti be given by /i'(4) = {x} 
and /i'(n) = for all other n, and note that /i o' ti is defined. By assumption, we have 
y C h(A) U /i'(4) = /i(4) U {x}, and thus y \ /i(4) = {x} because Y \ h{4) is nonempty by 
assumption. It follows that Y\h{4) = {x} for any x G X\/i(4), and so also X\/i(4) = {x}, 
as required. 

We note that a number of general categorical constructions for effect algebras have 
recently appeared in [27]. 

Our next examples differ both from Abelian groups in that e and oo are non-identical, 
and from effect algebras in that oo is extensible. Indeed, as shown by our Example 15.81 
below, fixing the monoidal structure of a CBI-model does not in general determine the 
choice of oo. 

Example 5.7 (Bit arithmetic). Let n G N and observe that an n-bit binary number can 
be represented as an element of the set {0, l} n . Let XOR and NOT be the usual logical 
operations on binary numbers. Then the following is a CBI-model: 

({0, l} n ,XOR, {0} n ,NOT, {l} n } 

In this model, the resources e and oo are the n-bit representations of and 2 n — 1 respectively. 
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Example 5.8 (Integer modulo arithmetic). Consider the monoid (Z n ,+ n ,0), where Z n is 
the set of integers modulo n, and + n is addition modulo n. We can form a CBI-model from 
this monoid by choosing, for any m E Z n , oo =d e f m and —A: =d e f m — n k (where — n is 
subtraction modulo n). 

Example 5.9 (Syntactic models). Given an arbitrary monoid (R, o, e), we give a syntactic 
construction to generate a CBI-model (R 1 , o 1 , e' , — ', oo'). Consider the set T of terms given 
by the grammar: 

t G T ::=r 6 R | oo | t-t \ -t 
and let ~ be the least congruence such that: 

r i ° r 2 = r implies n • T2 ~ r; 

ii • *2 ~ *2 ■ *i; 

h ■ (t 2 ■ h) « (ti • t 2 ) • t 3 ; 

— twi; 

£ • (— t) « oo; 

i x o i 2 ~ oo implies £1 w —£2- 

We write T/~ for the quotient of T by the relation ~, and [t] for the equivalence class 
of t. The required CBI-model {R', o', e', — ', oo') is obtained by defining i?' =d c f T"/w, 
o/ ([*l]) N) =dcf [<l °*2], e' = def [e], -'(t) = dc f [-*], and 00' = dcf [00]. 

We now consider some general ways of composing CBI-models. 

Lemma 5.10 (Disjoint union of CBI-models). Let (i?i,oi,ei, —1,001) and {R2,°2,£2, 
— 2) 002) be CBI-models such that R\ and R2 are disjoint and either 00 1 = e\ and 002 = e 2 
both hold or 001, 002 are both nonextensible, i.e. 00 1 o\ x = for all x ^ e\ and 002 o 2 x = 
for all x ^e2. 

Now let R be the set obtained by identifying e% with e2 and 00 1 with 002 in R\ U R2, 
and write e = e\ = e2 and 00 = 00 1 = 002 for the elements obtained by this identification. 
Define — = — 1 U — 2 and o = o x u o 2 . Then (R, o, e, — , 00) is a CBI-model. 

Proof. We start by observing that — is indeed a function from R to R because R\ and R2 
are assumed disjoint and, using Proposition 12.31 — iei = 00 1 = 002 = —262, and similarly 
— 1001 = — 2002. Thus — e and —00 are well-defined. 

We need to check that (R, o, e) is a BBI-model. The commutativity of o is immediate 
by the commutativity of o% and o 2 . Similarly, x o e = {x} for all x £ R because e = e% is 
a unit of o x and e = e2 is a unit of o 2 . To see that o is associative, we let x,y, z £ R and 
show that x o [y o z) = (x y) o by case analysis. 

Case: at least one of x, y, 2 is e. We are immediately done by the fact that e is a unit for o. 

Case: at least one of x,y,z is 00. We may assume that none of x,y,z is e, since these 
possibilities are covered by the previous case, and so it follows by assumption that 00 1 and 
002 are nonextensible. Consequently 00 o x = for all x ^ e, so x o (y o z) = = (x o y) o z. 

Case: all of x, y,z G R\. We may assume by the previous cases that none of x, y, z is either 
e or 00, so we have x o (y o z) = x o 1 (jj o 1 z) and (x o y) o z = {x o\ y) o 1 z, whence we are 
done by the associativity of o 1 . 

Case: all of x,y,z £ i? 2 - Similar to the case above. 
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Case: none of the above. We have x o (y o z) = = (x o y) o z since x o y = % whenever 
x G Ri, y G i?2 and neither x nor y is e or oo. This covers all the cases, so o is indeed 
associative. 

Now to see that (R, o, e, — , 00} is a CBI- model, given x G R we need to show that — x 
is the unique y G R such that 00 £ x o y. It is easily verified that 00 G x o — x for all 
x G -R. Now suppose that 00 G x o y = x o 1 y U x o 2 y for some y G -R. If 00 6 s oj j/ then 
y = — ix = —x as required. Similarly, if 00 G x o 2 y then y = — 2 x = — x. □ 

We remark that the restrictions on 00 1 and oo 2 in Lemma 15.101 are needed in order 
to ensure the associativity of o. For example, if x G R\ and y G R2 and x, y 7^ e then 
(x o y) o — y = o — y = while x o (y o — y) D x o 00 = x oj 001, which is not empty in 
general. 

Lemma 5.11 (Generalised Cartesian product of CBI- models). Let A be an ordered set 
and write <3 a eA x a for an ordered tuple indexed by the elements of A. Suppose that M a = 
(R a ,o a ,e a ,- a ,oo a ) is a CBI-model for each a £ A. Then (R, o, (g> aeA e a , -, (g> a£ A oo a ) is 
a CBI-model, where R denotes the ^4-ordered Cartesian product of the sets R a , and the 
operations o : R x R — )■ V{R) and — : R ^ R are defined as follows: 

-(<g) aej4 X a ) = ®« e A (- fl s a ) 
<g> aej4 X a O <£> aeA y a = UaeA,«.e*.o ita{®a£A1fla} 

Proof. In the following, all uses of (J notation should be understood as ranging over all a G A 
(we suppress the explicit subscript for legibility). First, we need to check that (R, o, (g) ae ^ e a ) 
is a BBI-model. The commutativity of o follows immediately from its definition and the 
commutativity of each o a . To see that <S> a eAe a is a unit for o we observe: 

®aeA X a o ® a &A e a = \J Wa dx a o a e a {®adA W a } = U Wa £{x a }{®aeA W a } = {®aeA X a } 

Next we need to check that o is associative. Using the the standard extension of o to 
V{R) x V{R) -+ V{R) we have: 

(<8>aeA X a O <g>aeA Va) ° ®aeA Z a = {[] Wa( z Xa o a y a {® a ^ AWa ^ ° ® a( ^ A Za 

= yJw a ax a o a y a \yJv a ew a o a z a \®a,&AVa}) 
= ^v a d{x a o a y a ) 0a z a {®a&AVa] 

Similarly, we have: 

®aeA X a O (® a eA Va ° ®a&A Z a ) = {Jv a €x a o a (y a o a z a ){®a£A V a } 

whence (<g> ae A x a o (g> aeA y a ) o ® a&A z a = (g> a eA x a o (® a eA Va ° ®a&A z a ) as required by the 
associativity of each o a . 

Now, to see that {R, o, (8> a gA e a , — , ® a <=A oo a ) is a CBI-model, it just remains to check 
that the required conditions on — and <S> a gA oo a hold. We have by definition: 

®adAX a O -(®aaAX a ) = ®a€A X a ° ®atA (- a X a ) 

= Uw a ex a o a (- a x a ){®azAW a } 

Then, since oo a G x a o a (- a x a ) for all a G A we have (g) aej4 oo a G (S> a eAX a o -(® a eA^a) 
as required. To see that — (<£> a eA^a) is the unique element of R satisfying this condition, 
suppose £>3aeA 00 a G <£> a eA x a o <S> a eA Va- Then for each a £ A we would have oo a G x a o a y a , 
which implies y a = — a x a for each a G A and thus <g> a eA y Q = ®a^A coa as required. This 
completes the verification. □ 



CLASSICAL BI 33 



We remark that, as well as standard Cartesian product constructions, Lemma 15.111 
gives a canonical way of extending CBI-models to heap-like structures mapping elements 
of an ordered set A into model values by taking M a to be the same CBI-model for each 
a £ A. For example, our "money" model of Example 15.21 extends via Lemma 15.111 to a 
model of maps from a set of identifiers to the integers, which can be understood as financial 
"asset portfolios" mapping identifiers (commodities) to integers (assets or liabilities). Such 
a model might potentially form the basis of a Hoare logic for financial transactions in the 
same way that the heap model of BBI underpins separation logic. The following example 
shows another application. 

Example 5.12 (Deny-guarantee model). The deny- guarantee permissions employed by 
Dodds et al. [18] are elements of PermDG = Actions — > FractionDG, where Actions is a set 
of "actions" and: 

FractionDG = {(deny, n) \ tt G (0, 1)} U {{guar, tt) | tt G (0, 1)} U {0, 1} 

A partial binary function © is defined on FractionDG by: 

0©x=x©0 = x 

(deny, tti + 112) if tt\ + ^2 < 1 

(deny , iTi) (B (deny , 7T2) { 1 if ix\ + 1T2 = 1 

undefined otherwise 

(guar, tt\ + 7^) if 7Ti + 7T2 < 1 

(guar, 7Ti) © (guar, 1x2) = { 1 if 7Ti + 7T2 = 1 

undefined otherwise 
lffix = xffil = undefined for x ^ 

The operation © is lifted to PermDG by (p\ © P2)(o) = Pi(a) © P2(«)- Next, define the 
involution — on FractionDG by: 

—0 = 1 —(deny, n) = (deny, 1 — n) —(guar, tt) = (guar, 1 — tt) —1 = 

and lift — to PermDG by (— p)(a) = —p(a). Finally, we lift and 1 to PermDG by 0(a) = 
and 1(a) = 1. 

Then (PermDG, ffi, 0, — , 1) is a CBI-model. One can check this directly, but we can also 
reconstruct the model using our general constructions. First, one verifies easily that both 
the "deny fragment" and the "guarantee fragment" of FractionDG given by the tuples: 

{{(deny, tt) | tt G (0, 1)} U {0, 1}, ©, 0, -, 1) 
({(guar, tt) | tt G (0, 1)} U {0, 1}, ©, 0, -, 1) 

are CBI-models. Noting that 1 is nonextensible in both models, we can apply Lemma 15.101 
to obtain the disjoint union of these models, which is exactly (FractionDG, ©, 0, — , 1). By 
applying Lemma f5. Ill (taking A to be Actions and M a to be (FractionDG, ©, 0, — , 1) for all 
a G Actions) we then obtain the CBI-model (PermDG, ©, 0, — , 1). 

We end this section by addressing the general question of whether there are embeddings 
of arbitrary BBI-models into CBI-models. This is not trivial for the following reason. 
Consider a BBI-model (R, o, e) with o a function and z = x\oy = X2°y with x\ ^ X2- In 
any simple extension of this model into a CBI-model {R', o',e', — , 00} with R C R' and 
o C o', we are forced to have both — x\ Gj/o' — z and — X2 G y o' —z by the CBI-model 
conditions (see Proposition 12.31 part [3]), while —x\ 7^ — X2- Thus any such extension of the 
functional BBI-model (R, o, e) into a CBI-model is forced to be relational. Our construction 
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below shows how a general embedding from BBI-models to CBI-models may be obtained, 
which can be viewed as being weakly canonical in the sense that it is an injection. 

Proposition 5.13 (CBI-cxtension of BBI-models). Let (R, o, e) be a BBI-model and define 
a second, disjoint copy R of R by R =dcf {r \ r £ R}. Define — x = x for all x £ R and 
—x = x for all x G R. Finally, define the binary relation ffi over R U R by the following: 

(©1) z £ x oy => z £ x (By 

(02) z £xoy => y G (x ffi z) n (z ffi x) 

Then (i? U -R, 0, e, — , e) is a CBI-model. Moreover, the construction of (R U i?, ©, e, — , e) 
from (i?, o, e) is injective. 

Proof. We start by stating the following elimination principle for © which follows directly 
from its introduction rules (©1) and (©2). 

Elimination principle. If z G x © y then the following hold: 

(1) z G i? iff x, y G i?, and if x, y, z G -R then z £ x o y. 

(2) z £ R iff either x £ R and y £ R, or x £ R and y £ R. Furthermore: 

• if x G -R and y,z £ R then y' £ x o z', where y' = y and z' = z; 

• if y £ R and x,z £ R then x' £ z' o y, where x' = x and z' = z. 

With this principle in place we carry out the main proof. First, we need to check 
that (RL) R, ffi, e) is a BBI-model, i.e., that © is commutative and associative, and satisfies 
x o e = {x} for all x £ R U R. 

We tackle the last of these requirements first. Since (R,o,e) is a BBI-model we have 
x£xoe = eox = {x} for all x £ R. Thus, for all x £ R, we have x G x ffi e by (ffil) and 
x G x ffi e by (02). That is, x G x ffi e for all x G i? U i?. Now suppose y G x ffi e. Since 
e £ R, there are two cases to consider by the elimination principle. If both x, y G R then 
we have y G x o e = {x}, thus y = x. Otherwise, both x,y £ R and x' £ y' oe = {y 1 }, where 
x' = x and y' = y. Thus x' = y' and, since ~ is injective, x = y. So x ffi e = {x} for all 
x G -R U R as required. 

To see that ffi is commutative, let z G x ffi y, and consider the cases given by the 
elimination principle. First, suppose that all of x, y, z G R and z £ x o y. Since (R, o, e) 
is a BBI-model, o is commutative, so z G y o x. Thus by (ffil) we have z £ y © x. Next, 
suppose that x £ R, y,z £ R and y' G x o z', where y' = y and z' = z. By (©2) we then 
have z G y ffi x. The case where y £ R and x, z G i? is symmetric. Thus z G x ffi y implies 
z £ y ffi x, so x ffi y = y ffi x for any x,y £ RL) R, i.e. ffi is commutative. 

It remains to show that ffi is associative, i.e. that (x ffi y) ffi z = x ffi (y ffi z) for any 
x, y, z £ RL) R. We divide into cases as follows: 

Case: at least two of x, y, z are in R. The elimination principle implies that x ffi y = 
whenever both x, y G R and, furthermore, z £ R whenever z G x ffi y and either x G R or 
y £ R. Combined with the pointwise extension of ffi to sets of elements, this implies that 

(x ffi y) ffi z = x ffi (y ffi z) = 0. 

Case: none ofx,y,z are in R. The elimination principle implies that (xffiy)ffiz= (xoy)oz 
and x ffi (y ffi z) = x o (y o z). We are then done since o is associative by assumption. 
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Case: exactly one ofx,y,z is in R. We show how to treat the case where x G R; the other 
cases are similar. We write x = x'. Let w £ (x' © y) © z = U^&Fe?/ v ® z - Thus w £ v © z 
for some v £ x' ® y. By part 2 of the elimination principle, v € R and 2/ € u' o y, where 
v = v 1 . Applying the same elimination principle to w £ t/ © z, we obtain that w £ R and 
v' £ w' o z, where it; = w'. Thus a/ € Ui/gu/oz v ' ° V = W ° z) oy. Since o is associative and 
commutative, x' £ w' o (y o z). By (ffil), it is certainly the case that y o z C y © z, whence 
we obtain x' G it;' o (y © z) = (y © z) o u/. Thus, by (©2), we obtain w; £ x © (y © z). 

As we have shown w £ (x © y) © z) implies u; G a; © (y © z), we conclude (x © y) © z = 
x © (y © z), i.e. © is associative as required. Thus (R U -R, ffi, e) is indeed a BBI- model. 

To see that (R U i?, ffi,e, — ,00} is a CBI-model, we just need to check that for any 
x £ R U R, x is the unique element such that 00 = e £ x ®x. Suppose first that x £ R. 
Since xoe = {x}, we have e G xffix by (©2). To see that x is unique, suppose that e G xffiy. 
By part 2 of the elimination principle, we must have y = y' and y' £ x o e = {x}. Thus 
y' = x so y = x as required. When x £ R, we have x = y for some y £ R and the reasoning 
is exactly dual to the case above, since o is commutative. This completes the proof. □ 

Another interesting possibility for obtaining CBI-models from arbitrary BBI-models 
would be to extend the well-known Grothendieck completion — which constructs the canon- 
ical Abelian group corresponding to a total commutative monoid — to the relational setting. 
From a category-theoretic perspective, it would be interesting to see whether the obvious 
forgetful functor from CBI-models to BBI-models has a left-adjoint, which would give the 
truly canonical CBI-model corresponding to any BBI-model. 

6. Related and future work 
We consider related work, and directions for future work, from several perspectives. 

Bunched logics: In his monograph on BI |39|, Pym observed that it made sense to think not 
of one bunched logic but rather a family of bunched logics, characterised by the strengths of 
their additive and multiplicative components. We reprise his diagram of the bunched logic 
family, suitably updated, in Figure El CBI is the strongest member of this family, boasting 
two classical negations and being characterised by an underlying Boolean algebra in its 
additive component and a de Morgan algebra in the multiplicative component. Indeed, Pym 
anticipated the formulation of CBI as presented here in at least two important respects: he 
observed that a relevantist approach to multiplicative negation (which we take by using the 
involution operation '—'in our models in place of the Routley star) is classically compatible 
with the other multiplicative connectives; and he noted the problems with cut-elimination 
seemingly inherent in a two-sided sequent calculus for bunched logic. In this paper, we 
provide two key missing links. First, our display calculus DLcbi and its cut-elimination 
theorem, obtained by following Belnap's original methodology for display logic [2], provides 
a well-behaved proof theory for CBI. (Subsequently, the first author has given in [5] a unified 
display calculus proof theory for all four bunched logics in Figure 0) Second, and perhaps 
more importantly, we also provide the connection to Kripke-style resource models with 
precisely the structure necessary to interpret CBI. Our soundness and completeness results 
establishing the correspondence between validity and provability, plus cut-elimination for 
DLcbu can be taken as strong evidence that the formulation of CBI we present here may 
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CBI 

(Boolean, de Morgan) 
undecidable [7J 



,-.__,_ BBI 

/TT , . , , , s (Boolean, Lambek) 

(Heytmg, de Morgan) undecidable [30] 



BI 

(Heyting, Lambek) 
decidable [21] 

Figure 8: The bunched logic family. The (additive, multiplicative) subtitles denote the 
strength of the underlying additive and multiplicative algebras. The arrows de- 
note the addition of either additive (-i) or multiplicative (~) classical negation. 



be considered canonical. We also establish nonconservativity of CBI over BBI, and its 
incompleteness with respect to partial functional models. 

We remark that the bunched logic dMBI (standing for "de Morgan BI") in the dia- 
gram, which combines intuitionistic additives with classical multiplicatives, has not been 
investigated in any great detail, to our knowledge, but it is closely related to the relevant 
logic RW. See the section on relevant logics below for a comparison. 

Relevant logics: CBI, like its bunched logic predecessors, owes a historical debt to the exten- 
sive work on relevant logics and takes many of its mathematical cues from the development 
of these logics, as described in the case of BI by O'Hearn and Pym [36] . Indeed, as they point 
out, if one understands by "relevant logics" nothing but logics whose logical connectives are 
understood primarily in terms of the structural rules which they must respect (cf. [41J), 
then bunched logics are relevant logics. However, in bunched logics, the philosophical ideal 
of relevance has been entirely sacrificed in favour of full-strength additives as equal part- 
ners alongside the multiplicatives. The justification for doing so is semantic; in the Kripke 
models of bunched logics, one has a simple truth reading of formulas in terms of resources, 
in which the additives have their standard meanings. In other words, while relevant logic 
seeks to exclude the paradoxes of material implication, in the setting of bunched logic we 
regard these paradoxes as being perfectly justifiable in terms of our resource models. 

Retrospectively, CBI can be obtained in terms of relevant logics by a series of surgeries 
on the axiomatisation of the full system R and its corresponding class of Kripke models (see 
e.g. [H]) in the following way. First, drop the axiom of multiplicative contraction from R 
(so that the corresponding condition Rxxx on the ternary relation R in the Kripke models 
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of R does not necessarily hold) to obtain the well-known relevant logic RW (a.k.a. C). 
Then one can add both the additive intuitionistic implication — > and falsum _L, which are 
barred from relevant logics in order to exclude various logical principles which contravene 
the philosophical notion of relevance (e.g. the classical tautology Af\B — > A). This addition 
is conservative over the language of RW because — > and _L can already be interpreted in its 
Kripke models using the ordering < on points in the model in the usual intuitionistic way 
(a fact exploited by Restall in order to formulate display calculi for RW and other relevant 
logics [42j). At this point we have obtained a characterisation of the bunched logic dMBI, 
whence to obtain CBI we strengthen the implication — > into the (additive) classical implica- 
tion, which corresponds to taking < in the corresponding Kripke models to be the identity 
ordering. The situation is also similar to that for the classical relevant logics introduced 
by Meyer and Routley [3TJ [32] , which feature traditional Boolean negation alongside the 
relevantist negation employing the Routley star — though, again, multiplicative contraction 
must be removed and the additives given their full classical strength. 

Similarly, it would not surprise a relevantist that CBI can be given a display calculus 
presentation, as display logic historically served as one of the main proof-theoretic tools 
in formulating sensible proof systems for relevant and other substructural logics. Indeed, 
one might deduce that this was the main intention behind Belnap's original formulation of 
display logic [2] , in which the choice of structural rules for a particular logic are identified 
as the principal factor affecting cut-elimination. We note that Gore has shown how to 
automatically generate display calculi for a general class of substructural logics based on 
Dunn's gaggle theory [25J, and it seems more than likely that his techniques could equally 
well be used to obtain DLcbi- Similarly, the correct formulation of DLcbi could have been 
deduced from Restall's display calculi for the relevant logic DW and its various extensions 
including RW [42]. In both the aforementioned cases, however, the modelling power is in 
considerable excess of what is needed to obtain our display calculus for CBI, which falls 
directly under Belnap's original description of displayable logics in [2] because it features 
classical negation in both its additive and multiplicative connective families. 

Linear logic: Readers may wonder about the relationship between CBI and classical linear 
logic (CLL), which also features a full set of propositional multiplicative connectives, and is 
a nonconservative extension of intuitionistic linear logic (ILL) [47 . The differences between 
the two are intuitively obvious when comparing our money model of CBI (Example I5.2[) 
alongside Guard's corresponding Marlboro / Camel example [23J. In particular, formulas 
in our model are read as declarative statements about resources (i.e. money), whereas linear 
logic formulas in Guard's model are typically read as procedural statements about actions. 
Compared to CLL, CBI has the advantage of a simple, declarative notion of truth relative 
to resource, but this advantage appears to come at the expense of CLL's constructive 
interpretation of proofs. 

Of course, the typical reading of BI departs from that of ILL in a similar way (see |36] 
for a discussion), and indeed it seems that the main differences between CBI and CLL 
are inherited from the wider differences between bunched logic and linear logic in general. 
These differences are not merely conceptual, but are also manifested at the technical level 
of logical consequence. For example, P-oQhP->Qisa theorem of linear logic for any 
propositions P and Q, via the encoding of additive implication P — > Q as \P — o Q, but 
P — * Q h P — )► Q is not a theorem of bunched logic. Similarly, distributivity of additive 
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conjunction A over additive disjunction V holds in bunched logics, but fails in linear logics. 
Further differences are highlighted in [7]. 

Interestingly, however, there is an intersection between CBI-models and the CLL-models 
obtained from the phase semantics of classical linear logic [23J. A CBI-model (R, o, e, — , 00} 
in which the monoid operation o is a total function, rather than a relation, is a special 
instance of a phase space, used to provide a phase model of CLL. This can be seen by 
taking the linear logic "perp" _L to be the set R \ {00}, whence the linear negation X 1 - 
on sets ICi! becomes —X. In the linear logic terminology, every subset X of R is then 

a "fact" in the sense that (X^) 1 - = X = X. It seems somewhat curious that there is 

a subclass of models where CBI and CLL agree, since known interesting phase models of 
linear logic are relatively few whereas there appear to be many interesting CBI-models (cf. 
Section [5]). However, one can argue that this subclass is faithful to the spirit of neither 
logic. On the one hand, the restriction to a total monoid operation in CBI-models rules out 
many natural examples where resource combination is partial (or indeed relational). On 
the other hand, it seems certain that the induced subclass of CLL phase models will be at 
odds with the coherence semantics of CLL proofs. 

Applications: The main application of BBI so far has been the use of separation logic in 
program analysis. There are now several program analysis tools [121 [T3| [TBI l49| [35] which 
use logical and semantic properties of the heap model of BBI at their core. These tools 
typically define a suitable fragment of separation logic with convenient algebraic properties, 
and use it in custom lightweight theorem provers and abstract domains. We suggest that 
our work on CBI could be relevant in this area as a foundation for richer resource models. 
In this paper we have already given several new models and model constructions which, 
though relatively simple in their present form, are suggestive of the applicability of CBI to 
more complex domains (cf. Section [5]). In particular, we have observed that several models 
introduced recently for reasoning about concurrent access to resources are CBI models, e.g. 
fractional permissions as used in deny-guarantee reasoning (cf. Example 15. 12[) . 

More speculatively, our display calculus DLcbi might form a basis for the design of 
new theorem provers, which could easily employ the powerful (and historically difficult to 
use) implication — * since, in CBI, it can be reexpressed using more primitive connectives. 
Moreover, the notion of dual or negative resource might be employed in extended theorem 
proving questions, such as the frame inference problem F \- G * X where the frame X 
is computed essentially by subtracting G from F. A similar problem is the bi-abduction 
question, which forms the basis of the compositional shape analysis in [9] and has the form 
F * X \- G *Y, interpreted as an obligation to find formulae to instantiate X and Y such 
that the implication holds. This question arises at program procedure call sites, where F 
is the procedure's precondition, G is the current precondition at the call point, X is the 
resource missing, and Y is the leftover resource. We speculate that such inferences could 
be explained in terms of an ordinary proof theory, providing that multiplicative negation is 
supported, as in CBI. 

Finally, CBI could be applied to the study of other logics. For example, Kleene's 
3-valued logic [28] can be modelled using a subset of CBI's connectives. Consider the two- 
element CBI model given by ({e, 00}, o, e, — , 00), where 00 o 00 = (note that o and — are 
then determined by the CBI-model axioms) . There are CBI- formulas denoting each of the 
subsets of {e,oo}: T, _L, T*, 00 (where 00 is used as an abbreviation for -i_L*). To model 
3-valued logic we focus on T, _L, 00, with 00 playing the role of the third logical value, 
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"unknown". A direct calculation shows that the connectives A, V, and ~ indeed generate 
the truth tables required by 3-valued logic. For example, we have oo V ~oo = oo V oo = oo. 
We speculate that CBI could be applied to other situations in logic where a non-standard 
notion of negation is used. 

We believe that, aside from its intrinsic technical interest, our development of CBI 
contributes to the picture of bunched logic and its connections to computer science as a 
whole, as well as to the broader area of substructural logics in general. Although our 
suggestions regarding specific applications of CBI are necessarily still somewhat speculative 
at this early stage in its existence, we hope that the foundations established in this paper 
will provide a solid platform upon which such applications can, in time, be constructed. 
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Appendix A. Cut-elimination for DLcbi (Theorem I3.8[) 

The following definition is taken from Belnap [2]. By a constituent of a structure or 
consecution we mean an occurrence of one of its substructures. 

Definition A.l (Parameters / congruence). Let I be an instance of a rule R of DLcbi- 
Note that / is obtained by assigning structures to the structure variables occurring in R 
and formulas to the formula variables occurring in R. 

Any constituent of the consecutions in I occurring as part of structures assigned to 
structure variables in I are defined to be parameters of /. All other constituents are defined 
to be non-parametric in /, including those assigned to formula variables. 

Constituents occupying similar positions in occurrences of structures assigned to the 
same structure variable are defined to be congruent in /. 

We remark that congruence as defined above is an equivalence relation. 

Belnap's analysis guarantees cut-elimination for DLcbi (Theorem l3.8p provided its proof 
rules (cf. Figure [3]) satisfy the following conditions, which are stated with reference to an 
instance / of a DLcbi rule R- (Here, following Kracht [29], we state a stronger, combined 
version of Belnap's original conditions C6 and C7, since our rules satisfy this stronger 
condition.) In each case, we indicate how to verify that the condition holds for our rules. 

CI: Preservation of formulas. Each formula which is a constituent of some premise 
of / is a subformula of some formula in the conclusion of /. 

Verification. One observes that, in each rule, no formula variable or structure 
variable is lost when passing from the premises to the conclusions. 

C2: Shape- alikeness of parameters. Congruent parameters are occurrences of the same 
structure. 

Verification. Immediate from the definition of congruence. 

C3: Non-proliferation of parameters. No two constituents in the conclusion of I are 
congruent to each other. 

Verification. One just observes that, for each rule, each structure variable occurs 
exactly once in the conclusion. 

C4: Position- alikeness of parameters. Congruent parameters are either all antecedent 
or all consequent parts of their respective consecutions. 

Verification. One observes that, in each rule, no structure variable occurs both 
as an antecedent part and a consequent part. 

C5: Display of principal constituents. If a formula is nonparametric in the conclusion 
of I, it is either the entire antecedent or the entire consequent of that conclusion. 
Such a formula is said to be principal in /. 

Verification. It is easy to verify that the only non-parametric formulas in the con- 
clusions of our rules are the two occurrences of P in (Id) and those occurring in the 
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introduction rules for the logical connectives, which obviously satisfy the condition. 

C6/7: Closure under substitution for parameters. Each rule is closed under simultane- 
ous substitution of arbitrary structures for congruent formulas which are parameters. 

Verification. This condition is satisfied because no restrictions are placed on the 
structural variables used in our rules. 

C8: Eliminability of matching principal formulas. If there are inferences I\ and I2 
with respective conclusions X \- F and F \- Y and with F principal in both in- 
ferences, then either X h Y is equal to one of X h F and F \- Y, or there is a 
derivation of X h Y from the premises of I\ and I2 in which every instance of cut 
has a cut-formula which is a proper subformula of F. 

Verification. There are only two cases to consider. If F is atomic then X \- F and 
F \- Y are both instances of (Id). Thus we must have X\~F = F\-Y = X\~Y, 
and are done. Otherwise F is non-atomic and introduced in I\ and I2 respectively 
by the right and left introduction rule for the main connective of F. In this case, a 
derivation of the desired form can be obtained using only the display rule (=£>) and 
cuts on subformulas of F. For example, if the considered cut is of the form: 



Xh F,G FhY Gh Z 



Xh FP G F v- GhY,Z 
(Cut) 

X\-Y,Z 

then we can reduce this cut to cuts on F and G in the following manner: 



Xh F,G 

— (=d) 

X,\>Gh F 


F\-Y 

(Cut') 


GY- Z 




X,\)GhY 
X, W h G 


(=d) 


(Cut) 




X,\>Yh Z 
XhY,Z 


d) 



The cases for the other connectives are similarly straightforward. This completes 
the verification of the conditions, and thus the proof. □ 
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